Description

Remote code execution vulnerability in remoting module

SECURITY-360 / CVE-2016-9299

An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.

Severity

• SECURITY-360 is considered critical as it allows unprivileged attackers to execute arbitrary code.

Affected versions

• All Jenkins main line releases up to and including 2.31

• All Jenkins LTS releases up to and including 2.19.2

Fix

• Jenkins main line users should update to 2.32

• Jenkins LTS users should update to 2.19.3

These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

Notes

As part of this fix, a number of other so-called "gadgets" were reviewed and are now also being prohibited. We tracked this activity as SECURITY-317.

Other resources

• November 16 blog post announcing the fixes

• November 11 blog post with workaround after public disclosure of the vulnerability

• LTS 2.19.3 upgrade guide for Jenkins administrators

• Corresponding security advisory for CloudBees Jenkins Enterprise and CloudBees Jenkins Operations Center

中文描述

CVE ID：

•  CVE-2016-9299

披露时间：

•  2016-11-11

影响版本：

• LTS Release 2.19.3 之前的所有版本

• Weekly Release 2.32 之前的所有版本

漏洞影响：

Jenkins 官方在更新了漏洞修复补丁的同时，也在 GitHub 上添加了相关的测试代码，测试代码中包含针对此漏洞测试的 Payload，通过远程执行代码来测试该漏洞是否存在，这可能造成 Jenkins 应用被大面积攻击。

强烈建议 Jenkins 管理员立即升级最新版以修复该漏洞。

漏洞验证：

漏洞测试方法见 Jenkins 官方测试代码：

@PresetData(PresetData.DataSet.ANONYMOUS_READONLY)

@Test

@Issue("SECURITY-360")

public void ldap() throws Exception {

    // with a proper fix, this should fail with EXIT_CODE_REJECTED

    // otherwise this will fail with -1 exit code

    probe(Payload.Ldap, PayloadCaller.EXIT_CODE_REJECTED);

}

private void probe(Payload payload, int expectedResultCode) throws Exception {

    File file = File.createTempFile("security-218", payload + "-payload");

    File moved = new File(file.getAbsolutePath() + "-moved");

    // Bypassing _main because it does nothing interesting here.

    // Hardcoding CLI protocol version 1 (CliProtocol) because it is easier to sniff.

    int exitCode = new CLI(r.getURL()).execute("send-payload",

            payload.toString(), "mv " + file.getAbsolutePath() + " " + moved.getAbsolutePath());

    assertEquals("Unexpected result code.", expectedResultCode, exitCode);

    assertTrue("Payload should not invoke the move operation " + file, !moved.exists());

    file.delete();

}

...

public class Ldap extends PayloadRunner implements ObjectPayload<Object> {

    public Object getObject(final String command) throws Exception {

        // this is not a fully exploit, so we cannot honor the command,

        // but we want to check that we are blocking LdapAttribute

        Class<?> c = Class.forName("com.sun.jndi.ldap.LdapAttribute");

        Constructor<?> ctr = c.getDeclaredConstructor(String.class);

        ctr.setAccessible(true);

        return ctr.newInstance("foo");

    }

    public static void main(final String[] args) throws Exception {

        PayloadRunner.run(Ldap.class, args);

    }

}

解决方案：

Jenkins 已修复漏洞并发布了新版 Release，可以升级到以下版本：

• Weekly Release 2.32

• LTS Release 2.19.3 

参考: 

• Jenkins (https://jenkins.io/)

• 邮件组   (https://groups.google.com/forum/#!msg/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ)

• 官方 PoC  (https://github.com/jenkinsci/jenkins/blob/master/test/src/test/java/jenkins/security/Security218CliTest.java)