CVE-2016-9299
published 2017-01-12CVE-2016-9299: The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which…
PriorityP191critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
96.94%
99.9th percentile
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| jenkins | jenkins | <= 2.19.2 | — |
| jenkins | jenkins | <= 2.31 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff
bytes↗
rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=
bytes↗
300c02010161070a010004000400
bytes↗
3034020102642f04066f753d777466302530230411737562736368656d61537562656e747279310e040c636e3d737562736368656d61
- →Detect exploit traffic by matching HTTP POST to /cli with Content-Type: application/octet-stream and the Java serialized object magic bytes (rO0AB / aced) in the body, combined with a 'Side: upload' header. ↗
- →Detect successful exploitation by looking for the string 'hudson.remoting.UserRequest' in HTTP responses from the Jenkins /cli endpoint. ↗
- →Monitor for outbound LDAP connections (port 389/1389) originating from the Jenkins server process, which indicates the deserialized payload triggered an LDAP callback to an attacker-controlled server. ↗
- →Check the X-Jenkins HTTP response header; versions <= 2.31 are vulnerable to this unauthenticated RCE. ↗
- →The exploit uses a two-connection pattern to /cli: one long-lived 'download' connection and a second 'upload' connection carrying the serialized payload. Correlate paired HTTP connections to /cli with matching Session headers. ↗
- →The Metasploit module spins up a rogue LDAP server on port 1389 by default. Detect Jenkins servers initiating LDAP connections to non-standard ports (e.g., 1389) as an indicator of active exploitation. ↗
- →The LDAP response from the attacker's server contains a 'javaSerializedData' attribute carrying the stage-2 payload. Inspect LDAP search response entries for this attribute as a network-level detection. ↗
- ·The exploit requires no authentication; all Jenkins main line releases up to and including 2.31 and all LTS releases up to and including 2.19.2 are affected. ↗
- ·The default LDAP listener port used by the Metasploit module is 1389, not the standard 389; firewall rules blocking only port 389 will not prevent the attacker's rogue LDAP server from being reachable. ↗
- ·The nuclei template requires an out-of-band (OOB/interactsh) DNS interaction to confirm exploitation; DNS-based detection may not fire in air-gapped or DNS-filtered environments. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Jenkins up to 2.31 Remoting ldap injection (FEDORA-2016-368780879d / EDB-44642)
vuldb·2026-05-13
CVE-2016-9299 [CRITICAL] Jenkins up to 2.31 Remoting ldap injection (FEDORA-2016-368780879d / EDB-44642)
A vulnerability, which was classified as critical, was found in Jenkins up to 2.31. Affected by this issue is some unknown functionality of the component Remoting Module. Executing a manipulation can lead to ldap injection.
This vulnerability is tracked as CVE-2016-9299. The attack can be launched remotely. Moreover, an exploit is present.
You should upgrade the affected component.
GHSA
Improper Neutralization of Special Elements used in an LDAP Query in Jenkins
ghsa·2022-05-14
CVE-2016-9299 [CRITICAL] CWE-90 Improper Neutralization of Special Elements used in an LDAP Query in Jenkins
Improper Neutralization of Special Elements used in an LDAP Query in Jenkins
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
OSV
Improper Neutralization of Special Elements used in an LDAP Query in Jenkins
osv·2022-05-14
CVE-2016-9299 [CRITICAL] Improper Neutralization of Special Elements used in an LDAP Query in Jenkins
Improper Neutralization of Special Elements used in an LDAP Query in Jenkins
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
VulnCheck
Jenkins jenkins Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
vulncheck·2016·CVSS 9.8
CVE-2016-9299 [CRITICAL] Jenkins jenkins Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Jenkins jenkins Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
Affected: Jenkins jenkins
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.jenkins.io/security/advisory/2016-11-16/
Jenkins
Jenkins Security Advisory 2016-11-16
vendor_jenkins·2016-11-16·CVSS 9.8
CVE-2016-9299 [CRITICAL] Jenkins Security Advisory 2016-11-16
Title: Jenkins Security Advisory 2016-11-16
Jenkins Security Advisory 2016-11-16
This advisory announces the fix for a previously disclosed zero-day vulnerability in Jenkins.
Description
Remote code execution vulnerability in remoting module
SECURITY-360 / CVE-2016-9299
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.
Severity
SECURITY-360 is considered critical as it allows unprivileged attackers to execute arbitrary code.
Affected versions
All Jenkins main line releases up to and
Red Hat
jenkins: Java deserialization flaw leads to RCE
vendor_redhat·2016-11-11·CVSS 9.8
CVE-2016-9299 [CRITICAL] CWE-502 jenkins: Java deserialization flaw leads to RCE
jenkins: Java deserialization flaw leads to RCE
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
Mitigation: https://github.com/jenkinsci-cert/SECURITY-218
Package: jenkins (Red Hat OpenShift Enterprise 2) - Under investigation
Package: jenkins (Red Hat OpenShift Enterprise 3) - Under investigation
No detection rules found.
Exploit-DB
Jenkins CLI - HTTP Java Deserialization (Metasploit)
exploitdb·2018-05-17
CVE-2016-9299 Jenkins CLI - HTTP Java Deserialization (Metasploit)
Jenkins CLI - HTTP Java Deserialization (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Jenkins CLI HTTP Java Deserialization Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not
required to exploit this vulnerability.
},
'Author' =>
[
'Matthias Kaiser', # Original Vulnerability discovery
'Alisa Esage', # Private Exploit
'Ivan', # Metasploit Module Author
'YSOSerial' #Stage 2 payload
],
'License' => MSF_LICENSE,
'Platform' => ['linux', 'unix'],
'Arch' => ARCH_CMD,
'Targets' => [ [ 'Jenkins 2.31',
Metasploit
Jenkins CLI HTTP Java Deserialization Vulnerability
metasploit
Jenkins CLI HTTP Java Deserialization Vulnerability
Jenkins CLI HTTP Java Deserialization Vulnerability
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not required to exploit this vulnerability.
Nuclei
Jenkins CLI - HTTP Java Deserialization
nuclei·CVSS 9.8
CVE-2016-9299 [CRITICAL] Jenkins CLI - HTTP Java Deserialization
Jenkins CLI - HTTP Java Deserialization
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
Template:
id: CVE-2016-9299
info:
name: Jenkins CLI - HTTP Java Deserialization
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
impact: |
Attackers can execute arbitrary code through Java deserialization, potentially leading to complete Jenkins server compromise and unauthorized access to all build systems and secr
Bugzilla
CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE [fedora-all]
bugzilla·2016-11-15·CVSS 9.8
CVE-2016-9299 [CRITICAL] CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE [fedora-all]
CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fed
Bugzilla
CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE
bugzilla·2016-11-15·CVSS 9.8
CVE-2016-9299 [CRITICAL] CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE
CVE-2016-9299 jenkins: Java deserialization flaw leads to RCE
An unauthenticated remote code execution vulnerability was discovered in the Jenkins continuous integration and continuous delivery automation server. A serialized Java object transferred to the Jenkins CLI can make Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.
Upstream advisory:
https://groups.google.com/forum/#!msg/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ
CVE assignment:
http://seclists.org/oss-sec/2016/q4/423
Mitigation:
https://github.com/jenkinsci-cert/SECURITY-218
Discussion:
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1395174]
---
External References:
https
http://www.openwall.com/lists/oss-security/2016/11/12/4http://www.openwall.com/lists/oss-security/2016/11/14/9http://www.securityfocus.com/bid/94281http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-editionhttps://groups.google.com/forum/#%21original/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJhttps://groups.google.com/forum/#%21original/jenkinsci-advisories/-fc-w9tNEJE/LZ7EOS0fBgAJhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZW2KUKYLNLVDB7STLHLYALCUFLEGCRM6/https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16https://www.cloudbees.com/jenkins-security-advisory-2016-11-16https://www.exploit-db.com/exploits/44642/http://www.openwall.com/lists/oss-security/2016/11/12/4http://www.openwall.com/lists/oss-security/2016/11/14/9http://www.securityfocus.com/bid/94281http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-editionhttps://groups.google.com/forum/#%21original/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJhttps://groups.google.com/forum/#%21original/jenkinsci-advisories/-fc-w9tNEJE/LZ7EOS0fBgAJhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZW2KUKYLNLVDB7STLHLYALCUFLEGCRM6/https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16https://www.cloudbees.com/jenkins-security-advisory-2016-11-16https://www.exploit-db.com/exploits/44642/
2017-01-12
Published
Exploited in the wild