Timeframe
Vulnerability public @ November 6th 2015 15:00 (UTC)
Vulnerability closed @ November 6th 2015 22:00 (UTC)
Vulnerability fixed @ November 9th 04:00 (UTC)
Vulnerability fixed @ November 9th 04:00 (UTC)
Impact
- CLI / OPE connectivity disabled
Root Cause
See https://www.cloudbees.com/jenkins-security-advisory-2015-11-06
The CloudBees response to the vulnerability announcement (see advisory) was to close the OPE/CLI TCP ports - and then remove CLI functionality shortly thereafter. This occurred 7 hours after the vulnerability was made public.
On November 8th, a patch was released to close the vulnerability in the Jenkins server, and we progressively rolled this patch out, and re-activated the OPE/CLI functionality on all Jenkins services.
Data Loss / Security Implications
Indications are
- there was no increase in traffic to the Jenkins servers we checked for breaches
- access to the CLI ports was closed 7 hours after the initial announcement
- the exploit as written doesn't work due to the network configuration of DEV@cloud
- the exploit is based off a commons-collections vulnerability announced early in 2015 - so there may have been unannounced vulnerabilities floating around the internet
Customers need to perform a risk assessment to determine whether they need to reissue credentials in their environment.
Followup
Our status notes are ephemeral - the overall outage notice was written and posted once the release had been completed.
https://www.cloudbees.com/jenkins-security-advisory-2015-11-06
