ISGroup CyberSecurity Consulting

CVE-2017-1000353 – Unauthenticated Remote Code Execution (RCE) – Jenkins

ISGroup Cybersecurity

Jenkins is an open-source automation server widely used for continuous integration and continuous delivery (CI/CD) pipelines, supporting software building, testing, and deployment across various platforms. Disclosed in April 2017, CVE-2017-1000353 is a critical deserialization vulnerability that allowed attackers to execute arbitrary code remotely without authentication. The vulnerability affects Jenkins main line releases up to and including version 2.56 and Jenkins LTS releases up to and including 2.46.1.

ProductJenkins
Date2025-10-07 12:41:25

Technical Summary

The vulnerability stems from insecure Java deserialization in the remoting functionality of the Jenkins CLI (Command Line Interface). Specifically, the bug resides in the readFrom function within Command.java, where Jenkins deserializes user-controlled data coming from an ObjectInputStream instance.

The core issue is that attackers can transfer a serialized Java SignedObject to the remoting-based Jenkins CLI, which is then deserialized via a new ObjectInputStream, bypassing the blocklist-based protection mechanism.

Since the existing blocklist in Jenkins did not include SignedObject, its deserialization triggered the deserialization of the encapsulated content;

The attack scenario would look like this: Attackers send two HTTP requests:

  • The first request establishes a valid Jenkins CLI session with two channels (upload/download);
  • The second request uploads a SignedObject containing a malicious serialized Java object; The readFrom function deserializes the SignedObject; The encapsulated content of the SignedObject is then deserialized, bypassing the blocklist; Malicious gadget chains are triggered during deserialization and execute arbitrary code with the privileges of the Jenkins server.

Recommendations

  1. Apply the patch immediately: Update all Jenkins instances to version 2.57 (weekly) or 2.46.2 LTS.
  2. Disable remoting-based CLI: After updating, users should disable the remoting-based CLI and switch to other modes (HTTP or SSH).
  3. Research and monitoring: Implement WAF rules to detect Java deserialization attack signatures and review Jenkins access logs for suspicious patterns in CLI session creation.

[Callforaction-THREAT-Footer]

In