cbcvebase.
CVE-2016-9299
published 2017-01-12

CVE-2016-9299: The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which…

PriorityP191critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
96.94%
99.9th percentile
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Affected

5 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
jenkinsjenkins<= 2.19.2
jenkinsjenkins<= 2.31
jenkinsjenkins_core
jenkinsjenkins_lts

Detection & IOCsextracted from sources · hover to see the quote

url/cli
port8080
port1389
bytes
aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff
bytes
rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=
bytes
300c02010161070a010004000400
bytes
3034020102642f04066f753d777466302530230411737562736368656d61537562656e747279310e040c636e3d737562736368656d61
  • Detect exploit traffic by matching HTTP POST to /cli with Content-Type: application/octet-stream and the Java serialized object magic bytes (rO0AB / aced) in the body, combined with a 'Side: upload' header.
  • Detect successful exploitation by looking for the string 'hudson.remoting.UserRequest' in HTTP responses from the Jenkins /cli endpoint.
  • Monitor for outbound LDAP connections (port 389/1389) originating from the Jenkins server process, which indicates the deserialized payload triggered an LDAP callback to an attacker-controlled server.
  • Check the X-Jenkins HTTP response header; versions <= 2.31 are vulnerable to this unauthenticated RCE.
  • The exploit uses a two-connection pattern to /cli: one long-lived 'download' connection and a second 'upload' connection carrying the serialized payload. Correlate paired HTTP connections to /cli with matching Session headers.
  • The Metasploit module spins up a rogue LDAP server on port 1389 by default. Detect Jenkins servers initiating LDAP connections to non-standard ports (e.g., 1389) as an indicator of active exploitation.
  • The LDAP response from the attacker's server contains a 'javaSerializedData' attribute carrying the stage-2 payload. Inspect LDAP search response entries for this attribute as a network-level detection.
  • ·The exploit requires no authentication; all Jenkins main line releases up to and including 2.31 and all LTS releases up to and including 2.19.2 are affected.
  • ·The default LDAP listener port used by the Metasploit module is 1389, not the standard 389; firewall rules blocking only port 389 will not prevent the attacker's rogue LDAP server from being reachable.
  • ·The nuclei template requires an out-of-band (OOB/interactsh) DNS interaction to confirm exploitation; DNS-based detection may not fire in air-gapped or DNS-filtered environments.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.