Vulnerabilities > CVE-2016-9299 - LDAP Injection vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- LDAP Injection An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
Exploit-Db
| description | Jenkins CLI - HTTP Java Deserialization (Metasploit). CVE-2016-9299. Remote exploit for Linux platform. Tags: Metasploit Framework (MSF), Remote |
| file | exploits/linux/remote/44642.rb |
| id | EDB-ID:44642 |
| last seen | 2018-05-24 |
| modified | 2018-05-17 |
| platform | linux |
| port | 8080 |
| published | 2018-05-17 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/44642/ |
| title | Jenkins CLI - HTTP Java Deserialization (Metasploit) |
| type | remote |
Metasploit
| description | This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not required to exploit this vulnerability. |
| id | MSF:EXPLOIT/LINUX/MISC/JENKINS_LDAP_DESERIALIZE |
| last seen | 2020-06-09 |
| modified | 2018-05-16 |
| published | 2017-01-11 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/jenkins_ldap_deserialize.rb |
| title | Jenkins CLI HTTP Java Deserialization Vulnerability |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_27EEE66D947444A5B83021EC12A1C307.NASL description Jenkins Security Advisory : An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms. last seen 2020-06-01 modified 2020-06-02 plugin id 94918 published 2016-11-16 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94918 title FreeBSD : jenkins -- Remote code execution vulnerability in remoting module (27eee66d-9474-44a5-b830-21ec12a1c307) NASL family Fedora Local Security Checks NASL id FEDORA_2016-93679A91DF.NASL description Security fix for CVE-2016-9299 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-03-06 plugin id 97533 published 2017-03-06 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97533 title Fedora 24 : jenkins / jenkins-remoting (2016-93679a91df) NASL family Fedora Local Security Checks NASL id FEDORA_2016-368780879D.NASL description Security fix for CVE-2016-9299 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-01 plugin id 95446 published 2016-12-01 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95446 title Fedora 25 : jenkins / jenkins-remoting (2016-368780879d)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/147665/jenkins_ldap_deserialize.rb.txt |
| id | PACKETSTORM:147665 |
| last seen | 2018-05-17 |
| published | 2018-05-16 |
| reporter | Matthias Kaiser |
| source | https://packetstormsecurity.com/files/147665/Jenkins-CLI-HTTP-Java-Deserialization.html |
| title | Jenkins CLI HTTP Java Deserialization |
Seebug
| bulletinFamily | exploit |
| description | No description provided by source. |
| id | SSV:92557 |
| last seen | 2017-11-19 |
| modified | 2016-11-26 |
| published | 2016-11-26 |
| reporter | Root |
| title | Jenkins remoting module remote command execution vulnerability, CVE-2016-9299) |
References
- https://www.cloudbees.com/jenkins-security-advisory-2016-11-16
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16
- http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition
- http://www.securityfocus.com/bid/94281
- http://www.openwall.com/lists/oss-security/2016/11/14/9
- http://www.openwall.com/lists/oss-security/2016/11/12/4
- https://www.exploit-db.com/exploits/44642/
- https://groups.google.com/forum/#%21original/jenkinsci-advisories/-fc-w9tNEJE/LZ7EOS0fBgAJ
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZW2KUKYLNLVDB7STLHLYALCUFLEGCRM6/
- https://groups.google.com/forum/#%21original/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ