Jenkins CI Server Commons-Collections Library Insecure Deserialization


Jenkins is an continuous integration (CI) tool. It is written in Java and is open source. It builds and tests software continuously. It also tracks the status of existing jobs. It supports various version control systems such as subversion, git, perforce, etc.

To remotely administer Jenkins, included is a command line interface (CLI) tool called jenkins-cli.jar. Using this tool, commands can be sent to Jenkins server. Jenkins server processes these commands using Remoting. To achieve remoting, objects are serialized by the client and they are de-serialized by the server. An insecure deserialization vulnerability (CVE-2015-8103) exists in the server due to the deserialization of untrusted data that is processed by vulnerable version of Apache Commons Collections library. The vulnerability can be exploited by unathenticated remote attacker by sending specially crafted serialized object. Successful exploitation can lead to execution of arbitrary commands on the server. The problem is located in readObjecT() method in ‘connection.class’ class file.

Deserializing untrusted data while vulnererable Apache Commons Collections classes are included leads to the vulnerability. Such classes are, for example:

  • InvokerTransformer
  • ForClosure
  • CloseTransformer

to name a few. The untrusted data eventually passes down to ‘runtime.exec()’ method where arbitrary code gets executed. Below is the applied fix. The fix filters a list of classes that are considered unsafe:

Vulnerable versions:

  • Jenkins Jenkins 1.637 and prior
  • Jenkins Jenkins LTS releases 1.625.1 and prior

Dell Sonicwall has written the following signature that protects our customers from attacks agains this vulnerability:

  • 11314.Jenkins CLI Remote Code Execution
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.