Synopsis
The remote web server hosts a job scheduling and management system that is affected by multiple vulnerabilities.
Description
The remote web server hosts a version of Jenkins that is prior to 1.650, or a version of Jenkins LTS prior to 1.642.2; or else a version of Jenkins Enterprise that is 1.642.x.y prior to 1.642.2.1, 1.625.x.y prior to 1.625.16.1, or 1.609.x.y prior to 1.609.16.1. It is, therefore, affected by the following vulnerabilities :
- An unspecified flaw exists in the Jenkins remoting module. An unauthenticated, remote attacker can exploit this to open a JRMP listener on the server hosting the Jenkins master process, allowing the execution of arbitrary code. (CVE-2016-0788)
- A flaw exists in main/java/hudson/cli/CLIAction.java due to improper sanitization of CRLF sequences, which are passed via CLI command names, before they are included in HTTP responses. An unauthenticated, remote attacker can exploit this, via crafted Jenkins URLs, to carry out an HTTP response splitting attack. (CVE-2016-0789)
- The verification of user-supplied API tokens fails to use a constant-time comparison algorithm. An unauthenticated, remote attacker can exploit this, via statistical methods, to determine valid API tokens, thus facilitating a brute-force attack to gain access to user credentials. (CVE-2016-0790)
- The verification of user-supplied XSRF crumbs fails to use a constant-time comparison algorithm. An unauthenticated, remote attacker can exploit this, via statistical methods, to determine valid XSRF crumbs, thus facilitating a brute-force attack to bypass the cross-site request forgery protection mechanisms.
(CVE-2016-0791)
- A flaw exists in groovy.runtime.MethodClosure class due to unsafe deserialize calls of unauthenticated Java objects to the Commons Collections library. An authenticated, remote attacker can exploit this, by posting a crafted XML file to certain API endpoints, to execute arbitrary code. (CVE-2016-0792)
Solution
Upgrade Jenkins to version 1.650 or later, Jenkins LTS to version 1.642.2 or later, or Jenkins Enterprise to version 1.609.16.1 / 1.625.16.1 / 1.642.2.1 or later.
Plugin Details
File Name: jenkins_1_650.nasl
Agent: windows, macosx, unix
Configuration: Enable thorough checks
Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Enable CGI Scanning: true
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:jenkins:jenkins, cpe:/a:cloudbees:jenkins
Required KB Items: installed_sw/Jenkins
Exploit Ease: Exploits are available
Patch Publication Date: 2/24/2016
Vulnerability Publication Date: 1/28/2015
Exploitable With
CANVAS (CANVAS)
Core Impact
Metasploit (Jenkins XStream Groovy classpath Deserialization Vulnerability)