A zero-day vulnerability in Jenkins was published on Friday, November 11. Last week we provided an immediate mitigation and today we are releasing updates to Jenkins which fix the vulnerability. We strongly recommend you update Jenkins to 2.32 (main line) or 2.19.3 (LTS) as soon as possible.
Today’s security advisory contains more information on the exploit, affected versions, and fixed versions, but in short:
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.
Moving forward, the Jenkins security team is revisiting the design of the Jenkins CLI over the coming weeks to prevent this class of vulnerability in the future. If you are interested in participating in that discussion, please join in on the jenkinsci-dev@ mailing list.
The Jenkins project encourages administrators to subscribe to the jenkinsci-advisories@ mailing list to receive future Jenkins security notifications.