Jenkins < 1.642.2 / 1.650 Java Object Deserialization RCE

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a remote code execution
vulnerability.

Description :

The remote web server hosts a version of Jenkins or Jenkins Enterprise
that is prior to 1.642.2 or 1.650. It is, therefore, affected by a
Java deserialization vulnerability. An unauthenticated, remote
attacker can exploit this, by deserializing specific java.rmi and
sun.rmi objects, to start a JRMP listener on the server. The JRMP
listener can then be exploited over RMI using objects in the Groovy or
Apache Commons Collections libraries, resulting in the execution of
arbitrary code.

Note that the server is reportedly affected by a number of other
vulnerabilities per the Jenkins Security advisory; however, Nessus has
not tested for these.

See also :

http://www.nessus.org/u?93a2c1f1
http://seclists.org/oss-sec/2016/q1/461

Solution :

Upgrade to Jenkins version 1.642.2 / 1.650 or later. Alternatively,
disable the CLI port per the vendor advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: General

Nessus Plugin ID: 89725 ()

Bugtraq ID: 83715

CVE ID: CVE-2016-0788

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now