CVE-2017-1000353

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.56 and earlier Jenkins version 2.46.1 LTS and earlier

Description The issue is related to an unauthenticated remote code execution, where an attacker can transfer a serialized Java SignedObject object to the Jenkins CLI. This object would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism. The exploitation of this issue may allow a remote attacker to execute arbitrary code by sending a serialized Java object to the Jenkins CLI.

Recommendations For Jenkins versions 2.56 and earlier, update to a version that includes the fix, which adds SignedObject to the blacklist and backports the new HTTP CLI protocol. For Jenkins version 2.46.1 LTS and earlier, update to LTS 2.46.2 or later, which includes the backported HTTP CLI protocol and deprecates the remoting-based CLI protocol, disabling it by default. As a temporary workaround, consider disabling the remoting-based (i.e. Java serialization) CLI protocol to minimize the risk of exploitation.