[OpenStack-Infra] Mitigating unauthenticated remote code execution 0-day in Jenkins CLI
Craige McWhirter
craige at mcwhirter.com.au
Mon Nov 9 06:30:52 UTC 2015
Not sure whether we're on this or not but I've not seen any chatter or
changes to address it, so I'm dropping it here first:
"Earlier today we received numerous reports about a previously
undisclosed "zero day" critical remote code execution vulnerability and
exploit in Jenkins core. Unfortunately the vulnerability was not
disclosed to us ahead of its publication so we're still working on more
thorough fix. In the meantime however, we wanted to inform you of the
issue and provide a workaround which will help prevent this exploit from
being used against public Jenkins installations, for future reference
this issue is being tracked privately as SECURITY-218 in our issue tracker.
The attack is mounted through the Jenkins CLI subsystem, so the
work-around is to remove/disable the CLI support inside of the running
Jenkins server."
http://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
--
Craige McWhirter
M: 0468591819
W: http://mcwhirter.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20151109/97edec7c/attachment.pgp>
More information about the OpenStack-Infra
mailing list