Jenkins CLI RMI Java Deserialization Vulnerability
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. Authentication is not required to exploit this vulnerability.
Module Name
exploit/linux/misc/jenkins_java_deserialize
Authors
- Christopher Frohoff
- Steve Breen
- Dev Mohanty
- Louis Sato
- wvu <wvu [at] metasploit.com>
- juan vazquez <juan.vazquez [at] metasploit.com>
- Wei Chen
References
- CVE-2015-8103
- URL: https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py
- URL: https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java
- URL: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability
- URL: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Targets
- Jenkins 1.637
Platforms
- java
Architectures
- java
Reliability
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/misc/jenkins_java_deserialize
msf exploit(jenkins_java_deserialize) > show targets
...targets...
msf exploit(jenkins_java_deserialize) > set TARGET <target-id>
msf exploit(jenkins_java_deserialize) > show options
...show and set options...
msf exploit(jenkins_java_deserialize) > exploit
Related Vulnerabilities
- Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting
- Jenkins Advisory 2015-11-11: CVE-2015-8103: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting
- Red Hat OpenShift: CVE-2015-8103: jenkins: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting (SECURITY-218)