CVE-2016-0788
published 2016-04-07CVE-2016-0788: The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
11.84%
95.6th percentile
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins | <= 1.649 | — |
| jenkins | jenkins | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| redhat | openshift | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated attempts to open a JRMP (Java Remote Method Protocol) listener on the Jenkins controller/master process, which is the core exploitation mechanism for CVE-2016-0788 ↗
- →Monitor for exploitation tooling referencing JRMPListener.java, RemoteObjectInvocationHandler, and UnicastRef objects, as these are the key components used in the JRMP-based deserialization attack chain ↗
- →Monitor for use of jrmp_listener.py and jrmp_connect_back.py exploit scripts against Jenkins or WebLogic RMI endpoints, as these are the published proof-of-concept tools for this attack ↗
- →Alert on inbound RMI/JRMP traffic (Java serialized object streams) to Jenkins controller ports from unauthenticated sources; the attack leverages RMI deserialization via the remoting module ↗
- →Flag Jenkins instances running versions up to and including 1.649 (main line) or 1.642.1 (LTS) as vulnerable to CVE-2016-0788 ↗
- ·The attack exploits the Jenkins remoting module and is unauthenticated, meaning no credentials are required; any network-accessible Jenkins controller is at risk without additional network-layer controls ↗
- ·The JRMP listener technique was also found applicable to Oracle WebLogic RMI endpoints (via UnicastRef deserialization), not just Jenkins — detection logic should consider both attack surfaces ↗
- ·The researcher credited with CVE-2016-0788 (Moritz Bechler) published additional undisclosed ysoserial payloads (including CommonCollections3 and RMI Connect Back), broadening the potential payload variants beyond the original CVE scope ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jenkins allows Execution of Code by Opening a JRMP Listener
ghsa·2022-05-14
CVE-2016-0788 [CRITICAL] CWE-502 Jenkins allows Execution of Code by Opening a JRMP Listener
Jenkins allows Execution of Code by Opening a JRMP Listener
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
OSV
Jenkins allows Execution of Code by Opening a JRMP Listener
osv·2022-05-14
CVE-2016-0788 [CRITICAL] Jenkins allows Execution of Code by Opening a JRMP Listener
Jenkins allows Execution of Code by Opening a JRMP Listener
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
Red Hat
jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)
vendor_redhat·2016-02-24·CVSS 9.8
CVE-2016-0788 [CRITICAL] jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)
jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
Jenkins
Jenkins Security Advisory 2016-02-24
vendor_jenkins·2016-02-24·CVSS 9.8
CVE-2016-0788 [CRITICAL] Jenkins Security Advisory 2016-02-24
Title: Jenkins Security Advisory 2016-02-24
Jenkins Security Advisory 2016-02-24
This advisory announces multiple vulnerabilities in Jenkins.
Description
Remote code execution vulnerability in remoting module
SECURITY-232 / CVE-2016-0788
A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins controller process, which allowed arbitrary code execution.
HTTP response splitting vulnerability
SECURITY-238 / CVE-2016-0789
An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.
Non-constant time comparison of API token
SECURITY-241 / CVE-2016-0790
The verifica
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-0788 CVE-2016-0789 CVE-2016-0790 CVE-2016-0791 CVE-2016-0792 jenkins: security advisory 2016-02-24 [fedora-all]
bugzilla·2016-02-25·CVSS 9.8
CVE-2016-0788 [CRITICAL] CVE-2016-0788 CVE-2016-0789 CVE-2016-0790 CVE-2016-0791 CVE-2016-0792 jenkins: security advisory 2016-02-24 [fedora-all]
CVE-2016-0788 CVE-2016-0789 CVE-2016-0790 CVE-2016-0791 CVE-2016-0792 jenkins: security advisory 2016-02-24 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this is
Bugzilla
CVE-2016-0788 jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)
bugzilla·2016-02-25·CVSS 9.8
CVE-2016-0788 [CRITICAL] CVE-2016-0788 jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)
CVE-2016-0788 jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)
The following flaw was found in Jenkins:
A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
Discussion:
This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 3.1
Via RHSA-2016:0711 https://access.redhat.com/errata/RHSA-2016:0711
---
This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 2.2
Via RHSA-2016:1773 https://rhn.redhat.com/errata/RHSA-2016-1773.html
Tenable
[R1] Oracle WebLogic RMI Registry UnicastRef Object Java Deserialization Remote Code Execution
blogs_tenable·2017-01-25
[R1] Oracle WebLogic RMI Registry UnicastRef Object Java Deserialization Remote Code Execution
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://rhn.redhat.com/errata/RHSA-2016-1773.htmlhttps://access.redhat.com/errata/RHSA-2016:0711https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24http://rhn.redhat.com/errata/RHSA-2016-1773.htmlhttps://access.redhat.com/errata/RHSA-2016:0711https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
2016-04-07
Published