ID CVE-2015-8103
Summary The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
References
Vulnerable Configurations
  • Red Hat OpenShift Enterprise 3.1
    cpe:2.3:a:redhat:openshift:3.1:-:-:-:enterprise
  • Jenkins 1.637
    cpe:2.3:a:jenkins:jenkins:1.637
  • Jenkins 1.625.1 Long Term Support (LTS)
    cpe:2.3:a:jenkins:jenkins:1.625.1:-:-:-:lts
  • RedHat OpenShift Enterprise 2.0
    cpe:2.3:a:redhat:openshift:2.0:-:enterprise
CVSS
Base: 7.5 (as of 13-06-2016 - 12:47)
Impact:
Exploitability:
CWE CWE-77
CAPEC
  • Cause Web Server Misclassification
    An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process. This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.
  • LDAP Injection
    An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • Manipulating Writeable Configuration Files
    Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Jenkins CLI RMI Java Deserialization Vulnerability. CVE-2015-8103. Remote exploit for java platform
file exploits/java/remote/38983.rb
id EDB-ID:38983
last seen 2016-02-04
modified 2015-12-15
platform java
port 8080
published 2015-12-15
reporter metasploit
source https://www.exploit-db.com/download/38983/
title Jenkins CLI RMI Java Deserialization Vulnerability
type remote
metasploit via4
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0070.NASL
    description Red Hat OpenShift Enterprise release 3.1.1 is now available with updates to packages that fix several security issues, bugs and introduce feature enhancements. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. The following security issues are addressed with this release : An authorization flaw was discovered in Kubernetes; the API server did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to gain additional access to resources such as RAM and disk space. (CVE-2016-1905) An authorization flaw was discovered in Kubernetes; the API server did not properly check user permissions when handling certain build- configuration strategies. A remote attacker could create build configurations with strategies that violate policy. Although the attacker could not launch the build themselves (launch fails when the policy is violated), if the build configuration files were later launched by other privileged services (such as automated triggers), user privileges could be bypassed allowing attacker escalation. (CVE-2016-1906) An update for Jenkins Continuous Integration Server that addresses a large number of security issues including XSS, CSRF, information disclosure and code execution have been addressed as well. (CVE-2013-2186, CVE-2014-1869, CVE-2014-3661, CVE-2014-3662 CVE-2014-3663, CVE-2014-3664, CVE-2014-3666, CVE-2014-3667 CVE-2014-3680, CVE-2014-3681, CVE-2015-1806, CVE-2015-1807 CVE-2015-1808, CVE-2015-1810, CVE-2015-1812, CVE-2015-1813 CVE-2015-1814, CVE-2015-5317, CVE-2015-5318, CVE-2015-5319 CVE-2015-5320, CVE-2015-5321, CVE-2015-5322, CVE-2015-5323 CVE-2015-5324, CVE-2015-5325, CVE-2015-5326 ,CVE-2015-7537 CVE-2015-7538, CVE-2015-7539, CVE-2015-8103) Space precludes documenting all of the bug fixes and enhancements in this advisory. See the OpenShift Enterprise 3.1 Release Notes, which will be updated shortly for release 3.1.1, for details about these changes : https://docs.openshift.com/enterprise/3.1/release_notes/ ose_3_1_release_notes.html All OpenShift Enterprise 3 users are advised to upgrade to these updated packages.
    last seen 2019-02-21
    modified 2018-12-06
    plugin id 119442
    published 2018-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119442
    title RHEL 7 : openshift (RHSA-2016:0070)
  • NASL family General
    NASL id JENKINS_SECURITY218.NASL
    description The remote web server hosts a version of Jenkins or Jenkins Enterprise that is prior to 1.638 or 1.625.2. It is, therefore, affected by a flaw in the Apache Commons Collections (ACC) library that allows the deserialization of unauthenticated Java objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the target host.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 86898
    published 2015-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86898
    title Jenkins < 1.638 / 1.625.2 Java Object Deserialization RCE
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0489.NASL
    description Red Hat OpenShift Enterprise release 2.2.9, which fixes several security issues, several bugs, and introduces feature enhancements, is now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. The following security issue is addressed with this release : It was found that ActiveMQ did not safely handle user-supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the ActiveMQ application. (CVE-2015-5254) An update for Jenkins Continuous Integration Server that addresses a large number of security issues including XSS, CSRF, information disclosure and code execution have been addressed as well. (CVE-2015-5317, CVE-2015-5318, CVE-2015-5319, CVE-2015-5320, CVE-2015-5321, CVE-2015-5322, CVE-2015-5323, CVE-2015-5324, CVE-2015-5325, CVE-2015-5326, CVE-2015-7537, CVE-2015-7538, CVE-2015-7539, CVE-2015-8103) Space precludes documenting all of the bug fixes in this advisory. See the OpenShift Enterprise Technical Notes, which will be updated shortly for release 2.2.9, for details about these changes : https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/ html-single/Technical_Notes/index.html All OpenShift Enterprise 2 users are advised to upgrade to these updated packages.
    last seen 2019-02-21
    modified 2018-12-04
    plugin id 119368
    published 2018-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119368
    title RHEL 6 : Red Hat OpenShift Enterprise 2.2.9 (RHSA-2016:0489)
packetstorm via4
data source https://packetstormsecurity.com/files/download/134805/jenkins_java_deserialize.rb.txt
id PACKETSTORM:134805
last seen 2016-12-05
published 2015-12-14
reporter juan vazquez
source https://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html
title Jenkins CLI RMI Java Deserialization
redhat via4
advisories
  • rhsa
    id RHSA-2016:0070
  • rhsa
    id RHSA-2016:0489
refmap via4
bid 77636
confirm
exploit-db 38983
misc
mlist
  • [oss-security] 20151109 CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization
  • [oss-security] 20151118 Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization
Last major update 07-12-2016 - 13:26
Published 25-11-2015 - 15:59
Back to Top