| Name | jenkins_cli_deserialization |
| CVE | CVE-2015-8103 |
| Exploit Pack | CANVAS |
| Description | jenkins_cli_deserialization |
| Notes | CVE Name: CVE-2015-8103 VENDOR: Jenkins NOTES: IMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK. Jenkins has a remote command line interface console. It is often unauthenticated. It communicates with a client by exchanging serialized Java Objects. Apache Commons pre-3.2.2 allows users to serialize transformers on collection values. Of importance to us is the InvokerTransfomer, which is capable of invoking Java methods. We are able to run these transformers by adding them to an annotation map whose members are acccessed. The right chain of method invocations leads to arbitrary code execution. NOTE: By default, Jenkins starts its management web application on 0.0.0.0:8080. For this module to work, both the web interface specified above *and* the CLI port specified by the X-Jenkins-CLI-Port element in the HTTP response headers from said web interface need to be accessible by the CANVAS host. Version support: > Windows 7 Ultimate SP1 x86 - 1.598 on Java SE 6 / 7 / 8 - 1.637 on Java SE 6 / 7 / 8 > Ubuntu Linux 14.04.3 - x86 - 1.598 on Java SE 6 / 7 / 8 - 1.600 on Java SE 6 / 7 / 8 - 1.637 on Java SE 6 / 7 / 8 Repeatability: Infinite References: ['http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11'] CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |