Jenkins < 1.642.2 / 1.650 and Jenkins Enterprise < 1.609.16.1 / 1.625.16.1 / 1.642.2.1 Multiple Vulnerabilities

critical Nessus Plugin ID 89925

Synopsis

The remote web server hosts a job scheduling and management system that is affected by multiple vulnerabilities.

Description

The remote web server hosts a version of Jenkins that is prior to 1.650, or a version of Jenkins LTS prior to 1.642.2; or else a version of Jenkins Enterprise that is 1.642.x.y prior to 1.642.2.1, 1.625.x.y prior to 1.625.16.1, or 1.609.x.y prior to 1.609.16.1. It is, therefore, affected by the following vulnerabilities :

- An unspecified flaw exists in the Jenkins remoting module. An unauthenticated, remote attacker can exploit this to open a JRMP listener on the server hosting the Jenkins master process, allowing the execution of arbitrary code. (CVE-2016-0788)

- A flaw exists in main/java/hudson/cli/CLIAction.java due to improper sanitization of CRLF sequences, which are passed via CLI command names, before they are included in HTTP responses. An unauthenticated, remote attacker can exploit this, via crafted Jenkins URLs, to carry out an HTTP response splitting attack. (CVE-2016-0789)

- The verification of user-supplied API tokens fails to use a constant-time comparison algorithm. An unauthenticated, remote attacker can exploit this, via statistical methods, to determine valid API tokens, thus facilitating a brute-force attack to gain access to user credentials. (CVE-2016-0790)

- The verification of user-supplied XSRF crumbs fails to use a constant-time comparison algorithm. An unauthenticated, remote attacker can exploit this, via statistical methods, to determine valid XSRF crumbs, thus facilitating a brute-force attack to bypass the cross-site request forgery protection mechanisms.
(CVE-2016-0791)

- A flaw exists in groovy.runtime.MethodClosure class due to unsafe deserialize calls of unauthenticated Java objects to the Commons Collections library. An authenticated, remote attacker can exploit this, by posting a crafted XML file to certain API endpoints, to execute arbitrary code. (CVE-2016-0792)

Solution

Upgrade Jenkins to version 1.650 or later, Jenkins LTS to version 1.642.2 or later, or Jenkins Enterprise to version 1.609.16.1 / 1.625.16.1 / 1.642.2.1 or later.

See Also

http://www.nessus.org/u?bb7b4350

https://www.cloudbees.com/jenkins-security-advisory-2016-02-24

https://jenkins.io/changelog/

https://jenkins.io/changelog/-stable

http://www.nessus.org/u?9c6d83db

Plugin Details

Severity: Critical

ID: 89925

File Name: jenkins_1_650.nasl

Version: 1.14

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 3/14/2016

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-0788

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:jenkins:jenkins, cpe:/a:cloudbees:jenkins

Required KB Items: installed_sw/Jenkins

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/24/2016

Vulnerability Publication Date: 1/28/2015

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Jenkins XStream Groovy classpath Deserialization Vulnerability)

Reference Information

CVE: CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792

CERT: 576313