HackDig : Dig high-quality web security articles

Jenkins Remoting RCE II – The return of the ysoserial

2016-07-01 21:50

Jenkins Logo

Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins server can be a critical part of the infrastructure: It often creates the application packages that later will be deployed on production application servers. If an attacker can execute arbitrary code, s/he can easily manipulate those packages and inject additional code. Another scenario would be that the attacker stealing credentials, like passwords, private keys that are used for authentication in the deployment process or similar.

The advisory on the project site gives not much detail about the problem:

“Remote code execution vulnerability in remoting module
SECURITY-232 / CVE-2016-0788
A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.”

Jenkins remoting is used for communications between master and agent (fka “slave”) or master and CLI. (You can setup slave servers for distributed builds.) This port is activated in the default configuration and it requires no authentication for connecting and arbitrary class deserialization.

Source: /lairesosy-eht-fo-nruter-eht-ii-ecr-gnitomer-sniknej/70/6102/ten.rotaunisni.www

Read:7640 | Comments:0 | Tags:Security Java jenkins serialization vulnerabilities

“Jenkins Remoting RCE II – The return of the ysoserial”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud