Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:1773 advisory.

  - Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix     (CVE-2014-3577)

  - apache-commons-collections: InvokerTransformer code execution during deserialisation (CVE-2015-7501)

  - jenkins: Remote code execution vulnerability in remoting module (SECURITY-232) (CVE-2016-0788)

  - jenkins: HTTP response splitting vulnerability (SECURITY-238) (CVE-2016-0789)

  - jenkins: Non-constant time comparison of API token (SECURITY-241) (CVE-2016-0790)

  - jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245) (CVE-2016-0791)

  - jenkins: Remote code execution through remote API (SECURITY-247) (CVE-2016-0792)

  - jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170)     (CVE-2016-3721)

  - jenkins: Malicious users with multiple user accounts can prevent other users from logging in     (SECURITY-243) (CVE-2016-3722)

  - jenkins: Information on installed plugins exposed via API (SECURITY-250) (CVE-2016-3723)

  - jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration     (SECURITY-266) (CVE-2016-3724)

  - jenkins: Regular users can trigger download of update site metadata (SECURITY-273) (CVE-2016-3725)

  - jenkins: Open redirect to scheme-relative URLs (SECURITY-276) (CVE-2016-3726)

  - jenkins: Granting the permission to read node configurations allows access to overall system configuration     (SECURITY-281) (CVE-2016-3727)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An updated Jenkins package and image that include a security fix are now available for Red Hat OpenShift Enterprise 3.1.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es) :

The Jenkins continuous integration server has been updated to upstream version 1.642.2 LTS that addresses a large number of security issues, including XSS, CSRF, information disclosure, and code execution.
(CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792)

Refer to the changelog listed in the References section for a list of changes.

This update includes the following image :

openshift3/jenkins-1-rhel7:1.642-30

All OpenShift Enterprise 3.1 users are advised to upgrade to the updated package and image.

Fixes CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792, and possible NoClassDefFoundError:
org/codehaus/stax2/XMLInputFactory2 exception bug.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fixes CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote web server hosts a version of Jenkins that is prior to 1.650, or a version of Jenkins LTS prior to 1.642.2; or else a version of Jenkins Enterprise that is 1.642.x.y prior to 1.642.2.1, 1.625.x.y prior to 1.625.16.1, or 1.609.x.y prior to 1.609.16.1. It is, therefore, affected by the following vulnerabilities :

  - An unspecified flaw exists in the Jenkins remoting     module. An unauthenticated, remote attacker can exploit     this to open a JRMP listener on the server hosting the     Jenkins master process, allowing the execution of     arbitrary code. (CVE-2016-0788)

  - A flaw exists in main/java/hudson/cli/CLIAction.java due     to improper sanitization of CRLF sequences, which are     passed via CLI command names, before they are included     in HTTP responses. An unauthenticated, remote attacker     can exploit this, via crafted Jenkins URLs, to carry out     an HTTP response splitting attack. (CVE-2016-0789)

  - The verification of user-supplied API tokens fails to     use a constant-time comparison algorithm. An     unauthenticated, remote attacker can exploit this, via     statistical methods, to determine valid API tokens,     thus facilitating a brute-force attack to gain access     to user credentials. (CVE-2016-0790)

  - The verification of user-supplied XSRF crumbs fails to     use a constant-time comparison algorithm. An     unauthenticated, remote attacker can exploit this, via     statistical methods, to determine valid XSRF crumbs,     thus facilitating a brute-force attack to bypass the     cross-site request forgery protection mechanisms.
    (CVE-2016-0791)

  - A flaw exists in groovy.runtime.MethodClosure class due     to unsafe deserialize calls of unauthenticated Java     objects to the Commons Collections library. An     authenticated, remote attacker can exploit this, by     posting a crafted XML file to certain API endpoints, to     execute arbitrary code. (CVE-2016-0792)

The Jenkins web server running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Groovy library, specifically the runtime.MethodClosure class. An unauthenticated, remote attacker can exploit this, via a crafted XML file, to execute arbitrary code on the target host.

Note that the Jenkins web server may be affected by other vulnerabilities as well; however, Nessus has not tested for these.

ID	Name	Product	Family	Severity
119378	RHEL 6 : Red Hat OpenShift Enterprise 2.2.10 (RHSA-2016:1773)	Nessus	Red Hat Local Security Checks	critical
119370	RHEL 7 : jenkins (RHSA-2016:0711)	Nessus	Red Hat Local Security Checks	critical
90014	Fedora 23 : jenkins-1.625.3-3.fc23 / jenkins-remoting-2.53.3-1.fc23 (2016-641c8b4eb2)	Nessus	Fedora Local Security Checks	high
90011	Fedora 22 : jenkins-1.609.3-6.fc22 / jenkins-remoting-2.53.3-1.fc22 (2016-0f490eea10)	Nessus	Fedora Local Security Checks	high
89925	Jenkins < 1.642.2 / 1.650 and Jenkins Enterprise < 1.609.16.1 / 1.625.16.1 / 1.642.2.1 Multiple Vulnerabilities	Nessus	CGI abuses	critical
89034	Jenkins < 1.642.2 / 1.650 Java Object Deserialization RCE	Nessus	General	high

Detections

Analytics

CVE-2016-0792

high

Tenable Plugins

critical

critical

high

high

critical

high