CVE-2017-1000353: Jenkins unauthenticated remote code execution
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java
SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new
ObjectInputStream, bypassing the existing blacklist-based protection mechanism.
SignedObject has been added to the remoting blacklist.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
- All versions of Altoros Jenkins for PCF prior to 1.0.2
Users of affected versions should apply the following mitigation:
- Upgrade Altoros Jenkins for PCF to 1.0.2