Update advisory for Jenkins CVE-2016-1000027 #100
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I'm pretty sure this code path isn't in execution. This is an RCE vulnerability in the spring framework tooling related to Java deserialization. There's an extensive github issue which basically says that they have done everything they can do and the CVE is outdated.
I looked to see how Jenkins was using this library, and it looks like for their own vuln scanning support they also suppress this CVE, with a comment saying
Data serialization is performed by the Jenkins framework, nothing specific to this application.
.At that point I pretty much concluded Jenkins isn't running the vulnerable code in the spring tooling.
This is a Critical CVE though and also this is my first analysis, so if anyone disagrees please let me know 😄
closes #99