CVE-2017-1000353Jenkins Multiple Security Vulnerabilities (Security Advisory 2017-04-26)

Jenkins is an open source automation server written in Java.

Jenkins contains the following security vulnerabilities:
CVE-2017-1000353: An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism.
CVE-2017-1000354: The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.
CVE-2017-1000355: Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to provide XML to Jenkins for processing using XStream to crash the Java process. In Jenkins this typically applies to users with permission to create or configure items (jobs), views, or agents.
CVE-2017-1000356: Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page.

Affected Versions:
Jenkins (weekly) prior to 2.57
Jenkins (LTS) prior to 2.46.2

QID Detection Logic:
This unauthenticated QID matches the exposed X-Jenkins header value to detect vulnerable versions.

Depending on the vulnerability being exploited, an unauthenticated, remote attacker could execute arbitrary code, conduct cross-site request forgery attacks, impersonate other Jenkins user or cause a denial-of-service vulnerability on the targeted system.

Customers are advised to upgrade to Jenkins 2.46.2, 2.57 or later versions to remediate these vulnerabilities.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Jenkins 2.46.2, 2.57 or later