The developers of Jenkins recently patched several vulnerabilities, including a critical weakness that can be exploited by a remote attacker for arbitrary code execution.
Jenkins is the most popular open source automation server, with over 133,000 installations and more than 1 million users worldwide. The product, maintained by CloudBees and the Jenkins community, is designed to help developers build, test and deploy their software.
An independent security researcher recently informed Beyond Security’s SecuriTeam Secure Disclosure program that Jenkins is affected by a serious vulnerability related to Java deserialization.
According to experts, the flaw allows an unauthenticated attacker to execute arbitrary code by sending two specially crafted requests to the vulnerable server. Technical details for the security hole, tracked as CVE-2017-1000353, were published by Beyond Security earlier this month.
In a security advisory published in late April, Jenkins developers said this critical vulnerability “allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism.”
The flaw has been patched with the release of Jenkins 2.57 and 2.46.2 (LTS), which also address several other types of problems. This includes multiple high severity cross-site request forgery (CSRF) vulnerabilities that can be exploited by an attacker to perform administrative actions by getting targeted users to open a specially crafted webpage.
Jenkins developers said the CSRF flaws can be exploited to restart the server, downgrade Jenkins, install plugins, change users’ API tokens, modify configurations, and create administrator accounts.
Another high severity weakness, tracked as CVE-2017-1000354, allowed an attacker to impersonate Jenkins users. The flaw was related to the “login” command, which stored the encrypted username of successfully authenticated users in a cache file.
The update also fixes a medium severity issue related to the XStream library. This third-party component, which is used by Jenkins for serializing and deserializing XML, is affected by a flaw that can be leveraged to crash the Java process.
Related: Flaws in Java AMF Libraries Allow Remote Code Execution
Related: Remote Code Execution Flaw Found in Java App Servers
Related: Deserialization Bug in PayPal App Allowed Code Execution