oss-sec mailing list archives

Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization

From: Daniel Beck <ml () beckweb net>
Date: Wed, 18 Nov 2015 11:00:13 +0100


On 18.11.2015, at 01:54, cve-assign () mitre org wrote:

As far as we know, "the Groovy variant in 'ysoserial'" means:

 https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Groovy1.java



Exactly. My apologies for the vague description.

Also, we are guessing that Groovy is relevant because of:

 https://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin



Groovy Plugin and its version is unrelated, as Groovy is included in Jenkins core. Jenkins was vulnerable even without 
Groovy Plugin.

If it were necessary or recommended to change any component unique to
Jenkins, then you can have an additional CVE ID for the ysoserial
Groovy aspect of SECURITY-218. (Our expectation is that separate CVE
IDs are needed because the Groovy plugin has own version numbering --
such as version 1.27 -- that's separate from the version numbering of
Jenkins core.)


We updated neither commons-collections nor Groovy, the fix for both is specific to Jenkins, in the same component, and 
was part of the same release of Jenkins. Does this mean the one CVE ID covers both?

-- 
Daniel Beck

Current thread:

CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Daniel Beck (Nov 09)
- Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization cve-assign (Nov 17)
  - Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Daniel Beck (Nov 18)
    - Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization cve-assign (Nov 18)
    - Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization Moritz Bechler (Nov 18)