This advisory announces the fix for a previously disclosed zero-day vulnerability in Jenkins.
SECURITY-360 / CVE-2016-9299
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.
SECURITY-360 is considered critical as it allows unprivileged attackers to execute arbitrary code.
All Jenkins main line releases up to and including 2.31
All Jenkins LTS releases up to and including 2.19.2
Jenkins main line users should update to 2.32
Jenkins LTS users should update to 2.19.3
These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.
As part of this fix, a number of other so-called "gadgets" were reviewed and are now also being prohibited. We tracked this activity as SECURITY-317.