CVE-2017-1000353
CloudBees Jenkins 2.32.1 - Java Deserialization
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
Jenkins, en versiones 2.56 y anteriores y 2.46.1 LTS y anteriores, es vulnerable a la ejecución remota de código. Una vulnerabilidad de ejecución remota de código permitía que los atacantes transfiriesen un objeto Java "SignedObject" en la interfaz de línea de comandos de Jenkins, que se deserializaría mediante un nuevo "ObjectInputStream", omitiendo el mecanismo de protección existente basado en listas negras. Se ha solucionado este problema añadiendo "SignedObject" a la lista negra. También se va a trasladar el nuevo protocolo HTTP CLI de Jenkins 2.54 a LTS 2.46.2 y dejar en desuso el protocolo CLI basado en remoto (por ejemplo, la serialización Java), deshabilitándolo por defecto.
An unauthenticated Java object deserialization vulnerability exists in the CLI component for Jenkins versions 2.56 and below. The readFrom method within the Command class in the Jenkins CLI remoting component deserializes objects received from clients without first checking / sanitizing the data. Because of this, a malicious serialized object contained within a serialized SignedObject can be sent to the Jenkins endpoint to achieve code execution on the target.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-05-05 CVE Published
- 2018-01-29 CVE Reserved
- 2019-11-12 First Exploit
- 2024-08-05 CVE Updated
- 2024-08-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html | Third Party Advisory |
|
| http://www.securityfocus.com/bid/98056 | Broken Link |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/41965 | 2024-08-05 | |
| https://github.com/vulhub/CVE-2017-1000353 | 2019-11-12 | |
| https://github.com/r00t4dm/Jenkins-CVE-2017-1000353 | 2022-10-12 |
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2022-06-13 |
| URL | Date | SRC |
|---|---|---|
| https://jenkins.io/security/advisory/2017-04-26 | 2022-06-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.56 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.56" | - |
Affected
| ||||||
| Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.46.1 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.46.1" | lts |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" | 1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "1.9.0" | - |
Affected
| ||||||