SID 1-51961

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt

Rule Explanation

This event is generated when a serialized java object is sent to the Jenkins CLI. Impact: Attempted Administrator Privilege Gain Details: A Java object deserialization vulnerability exists in the Jenkins CLI interface. This event is triggered when a serialized Java object is sent to the interface. Ease of Attack:

What To Look For

No information provided

Known Usage

No public information

False Positives

Known false positives, with the described conditions

Non-malicious serialized java objects

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

CVE-2016-9299

Additional Links

jenkins.io/security/advisory/2016-11-16/

jenkins.io/security/advisory/2017-04-26/

Rule Vulnerability

CVE Additional Information

CVE-2016-9299

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Details
Severity		Base Score	9.8
Impact Score	5.9	Exploit Score	3.9
Confidentiality Impact	HIGH	Integrity Impact	HIGH
Availability Impact	HIGH	Attack Vector	NETWORK
Scope	UNCHANGED	User Interaction	NONE
Authentication		Ease of Access	LOW
Privileges Required	NONE