Jenkins CI Server Commons-Collections Library Insecure Deserialization

December 11, 2015

Jenkins is an continuous integration (CI) tool. It is written in Java and is open source. It builds and tests software continuously. It also tracks the status of existing jobs. It supports various version control systems such as subversion, git, perforce, etc.

To remotely administer Jenkins, included is a command line interface (CLI) tool called jenkins-cli.jar. Using this tool, commands can be sent to Jenkins server. Jenkins server processes these commands using Remoting. To achieve remoting, objects are serialized by the client and they are de-serialized by the server. An insecure deserialization vulnerability (CVE-2015-8103) exists in the server due to the deserialization of untrusted data that is processed by vulnerable version of Apache Commons Collections library. The vulnerability can be exploited by unathenticated remote attacker by sending specially crafted serialized object. Successful exploitation can lead to execution of arbitrary commands on the server. The problem is located in readObjecT() method in 'connection.class' class file.

Deserializing untrusted data while vulnererable Apache Commons Collections classes are included leads to the vulnerability. Such classes are, for example:

  • InvokerTransformer
  • ForClosure
  • CloseTransformer

to name a few. The untrusted data eventually passes down to 'runtime.exec()' method where arbitrary code gets executed. Below is the applied fix. The fix filters a list of classes that are considered unsafe:

Vulnerable versions:

  • Jenkins Jenkins 1.637 and prior
  • Jenkins Jenkins LTS releases 1.625.1 and prior

Dell Sonicwall has written the following signature that protects our customers from attacks agains this vulnerability:

  • 11314.Jenkins CLI Remote Code Execution