Security Experts:

Critical Flaw Patched in Jenkins Automation Server

The developers of Jenkins recently patched several vulnerabilities, including a critical weakness that can be exploited by a remote attacker for arbitrary code execution.

Jenkins is the most popular open source automation server, with over 133,000 installations and more than 1 million users worldwide. The product, maintained by CloudBees and the Jenkins community, is designed to help developers build, test and deploy their software.

An independent security researcher recently informed Beyond Security’s SecuriTeam Secure Disclosure program that Jenkins is affected by a serious vulnerability related to Java deserialization.

According to experts, the flaw allows an unauthenticated attacker to execute arbitrary code by sending two specially crafted requests to the vulnerable server. Technical details for the security hole, tracked as CVE-2017-1000353, were published by Beyond Security earlier this month.

In a security advisory published in late April, Jenkins developers said this critical vulnerability “allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism.”

The flaw has been patched with the release of Jenkins 2.57 and 2.46.2 (LTS), which also address several other types of problems. This includes multiple high severity cross-site request forgery (CSRF) vulnerabilities that can be exploited by an attacker to perform administrative actions by getting targeted users to open a specially crafted webpage.

Jenkins developers said the CSRF flaws can be exploited to restart the server, downgrade Jenkins, install plugins, change users’ API tokens, modify configurations, and create administrator accounts.

Another high severity weakness, tracked as CVE-2017-1000354, allowed an attacker to impersonate Jenkins users. The flaw was related to the “login” command, which stored the encrypted username of successfully authenticated users in a cache file.

The update also fixes a medium severity issue related to the XStream library. This third-party component, which is used by Jenkins for serializing and deserializing XML, is affected by a flaw that can be leveraged to crash the Java process.

Related: Flaws in Java AMF Libraries Allow Remote Code Execution

Related: Remote Code Execution Flaw Found in Java App Servers

Related: Deserialization Bug in PayPal App Allowed Code Execution

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.