back to article Jenkins admin? Get buzzy patching, says Cloudbees

Cloudbees's Jenkins needs a patch against a Java deserialisation vulnerability. The bug, CVE-2017-1000353, exists in how Jenkins implements HTTP upload/download requests. The bug lets an attacker exploit a serialised object in the preamble of commands sent to the CLI. As described by Securiteam, “since Jenkins does not …

  1. Anonymous Coward

    Java deserialisation vulnerability

    I have to ask, but when whoever invented deserialisation, did he give no thought as to the security implications of being able to alter or swap out the object/file in transit. What the frag are they teaching them in computer security.

    1. Shark? what shark?

      Re: Java deserialisation vulnerability

      Serialization is just a tool to turn an object into a binary blob, and vice versa. If you don't trust the provenance of the blob, the de-serialized object needs validation before use.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like