The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

redhat RHSA-2016:0711: RHSA-2016:0711: jenkins security update (Important)

redhat RHSA-2016:1773: RHSA-2016:1773: Red Hat OpenShift Enterprise 2.2.10 security, bug fix, and enhancement update (Important)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:1773 advisory.

    OpenShift Enterprise by Red Hat is the company's cloud computing     Platform-as-a-Service (PaaS) solution designed for on-premise or     private cloud deployments.

    * The Jenkins continuous integration server has been updated to upstream     version 1.651.2 LTS that addresses a large number of security issues,     including open redirects, a potential denial of service, unsafe handling of     user provided environment variables and several instances of sensitive     information disclosure. (CVE-2014-3577, CVE-2016-0788, CVE-2016-0789,     CVE-2016-0790, CVE-2016-0791, CVE-2016-0792, CVE-2016-3721, CVE-2016-3722,     CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727,     CVE-2015-7501)

    Space precludes documenting all of the bug fixes and enhancements in this     advisory. See the OpenShift Enterprise Technical Notes, which will be     updated shortly for release 2.2.10, for details about these changes:

    https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-     single/Technical_Notes/index.html

    All OpenShift Enterprise 2 users are advised to upgrade to these updated     packages.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An updated Jenkins package and image that include a security fix are now available for Red Hat OpenShift Enterprise 3.1.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es) :

The Jenkins continuous integration server has been updated to upstream version 1.642.2 LTS that addresses a large number of security issues, including XSS, CSRF, information disclosure, and code execution.
(CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792)

Refer to the changelog listed in the References section for a list of changes.

This update includes the following image :

openshift3/jenkins-1-rhel7:1.642-30

All OpenShift Enterprise 3.1 users are advised to upgrade to the updated package and image.

The remote web server hosts a version of Jenkins that is prior to 1.650, or a version of Jenkins LTS prior to 1.642.2; or else a version of Jenkins Enterprise that is 1.642.x.y prior to 1.642.2.1, 1.625.x.y prior to 1.625.16.1, or 1.609.x.y prior to 1.609.16.1. It is, therefore, affected by the following vulnerabilities :

  - An unspecified flaw exists in the Jenkins remoting     module. An unauthenticated, remote attacker can exploit     this to open a JRMP listener on the server hosting the     Jenkins master process, allowing the execution of     arbitrary code. (CVE-2016-0788)

  - A flaw exists in main/java/hudson/cli/CLIAction.java due     to improper sanitization of CRLF sequences, which are     passed via CLI command names, before they are included     in HTTP responses. An unauthenticated, remote attacker     can exploit this, via crafted Jenkins URLs, to carry out     an HTTP response splitting attack. (CVE-2016-0789)

  - The verification of user-supplied API tokens fails to     use a constant-time comparison algorithm. An     unauthenticated, remote attacker can exploit this, via     statistical methods, to determine valid API tokens,     thus facilitating a brute-force attack to gain access     to user credentials. (CVE-2016-0790)

  - The verification of user-supplied XSRF crumbs fails to     use a constant-time comparison algorithm. An     unauthenticated, remote attacker can exploit this, via     statistical methods, to determine valid XSRF crumbs,     thus facilitating a brute-force attack to bypass the     cross-site request forgery protection mechanisms.
    (CVE-2016-0791)

  - A flaw exists in groovy.runtime.MethodClosure class due     to unsafe deserialize calls of unauthenticated Java     objects to the Commons Collections library. An     authenticated, remote attacker can exploit this, by     posting a crafted XML file to certain API endpoints, to     execute arbitrary code. (CVE-2016-0792)

The remote web server hosts a version of Jenkins or Jenkins Enterprise that is prior to 1.642.2 or 1.650. It is, therefore, affected by a Java deserialization vulnerability. An unauthenticated, remote attacker can exploit this, by deserializing specific java.rmi and sun.rmi objects, to start a JRMP listener on the server. The JRMP listener can then be exploited over RMI using objects in the Groovy or Apache Commons Collections libraries, resulting in the execution of arbitrary code.

Note that the server is reportedly affected by a number of other vulnerabilities per the Jenkins Security advisory; however, Nessus has not tested for these.

ID	Name	Product	Family	Severity
119378	RHEL 6 : Red Hat OpenShift Enterprise 2.2.10 (RHSA-2016:1773)	Nessus	Red Hat Local Security Checks	critical
119370	RHEL 7 : jenkins (RHSA-2016:0711)	Nessus	Red Hat Local Security Checks	critical
89925	Jenkins < 1.642.2 / 1.650 and Jenkins Enterprise < 1.609.16.1 / 1.625.16.1 / 1.642.2.1 Multiple Vulnerabilities	Nessus	CGI abuses	critical
89725	Jenkins < 1.642.2 / 1.650 Java Object Deserialization RCE	Nessus	General	critical

Detections

Analytics

CVE-2016-0788

critical

Tenable Plugins

Coming Soon

critical

critical

critical

critical