Description

Remote code execution vulnerability in remoting module

SECURITY-360 / CVE-2016-9299

An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.

Severity

• SECURITY-360 is considered critical as it allows unprivileged attackers to execute arbitrary code.

Affected versions

• All Jenkins main line releases up to and including 2.31

• All Jenkins LTS releases up to and including 2.19.2

Fix

• Jenkins main line users should update to 2.32

• Jenkins LTS users should update to 2.19.3

These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

Notes

As part of this fix, a number of other so-called "gadgets" were reviewed and are now also being prohibited. We tracked this activity as SECURITY-317.

Other resources

• November 16 blog post announcing the fixes

• November 11 blog post with workaround after public disclosure of the vulnerability

• LTS 2.19.3 upgrade guide for Jenkins administrators

• Corresponding security advisory for CloudBees Jenkins Enterprise and CloudBees Jenkins Operations Center

中文描述

CVE ID：

•  CVE-2016-9299

披露時間：

•  2016-11-11

影響版本：

• LTS Release 2.19.3 之前的所有版本

• Weekly Release 2.32 之前的所有版本

漏洞影響：

Jenkins 官方在更新了漏洞修復(fù)補丁的同時，也在 GitHub 上添加了相關(guān)的測試代碼，測試代碼中包含針對此漏洞測試的 Payload，通過遠程執(zhí)行代碼來測試該漏洞是否存在，這可能造成 Jenkins 應(yīng)用被大面積攻擊。

強烈建議 Jenkins 管理員立即升級最新版以修復(fù)該漏洞。

漏洞驗證：

漏洞測試方法見 Jenkins 官方測試代碼：

@PresetData(PresetData.DataSet.ANONYMOUS_READONLY)

@Test

@Issue("SECURITY-360")

public void ldap() throws Exception {

    // with a proper fix, this should fail with EXIT_CODE_REJECTED

    // otherwise this will fail with -1 exit code

    probe(Payload.Ldap, PayloadCaller.EXIT_CODE_REJECTED);

}

private void probe(Payload payload, int expectedResultCode) throws Exception {

    File file = File.createTempFile("security-218", payload + "-payload");

    File moved = new File(file.getAbsolutePath() + "-moved");

    // Bypassing _main because it does nothing interesting here.

    // Hardcoding CLI protocol version 1 (CliProtocol) because it is easier to sniff.

    int exitCode = new CLI(r.getURL()).execute("send-payload",

            payload.toString(), "mv " + file.getAbsolutePath() + " " + moved.getAbsolutePath());

    assertEquals("Unexpected result code.", expectedResultCode, exitCode);

    assertTrue("Payload should not invoke the move operation " + file, !moved.exists());

    file.delete();

}

...

public class Ldap extends PayloadRunner implements ObjectPayload<Object> {

    public Object getObject(final String command) throws Exception {

        // this is not a fully exploit, so we cannot honor the command,

        // but we want to check that we are blocking LdapAttribute

        Class<?> c = Class.forName("com.sun.jndi.ldap.LdapAttribute");

        Constructor<?> ctr = c.getDeclaredConstructor(String.class);

        ctr.setAccessible(true);

        return ctr.newInstance("foo");

    }

    public static void main(final String[] args) throws Exception {

        PayloadRunner.run(Ldap.class, args);

    }

}

解決方案：

Jenkins 已修復(fù)漏洞并發(fā)布了新版 Release，可以升級到以下版本：

• Weekly Release 2.32

• LTS Release 2.19.3 

參考: 

• Jenkins (https://jenkins.io/)

• 郵件組   (https://groups.google.com/forum/#!msg/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ)

• 官方 PoC  (https://github.com/jenkinsci/jenkins/blob/master/test/src/test/java/jenkins/security/Security218CliTest.java)