CVE-2016-9299 Jenkins CVE debrief

Who should care

Administrators and operators of Jenkins controllers, especially installations running affected Jenkins weekly or LTS releases, should prioritize this issue. Security teams should also review any environment that exposes Jenkins remoting or depends on third-party integrations and legacy agents.

Technical summary

NVD classifies the issue under CWE-90 and rates it CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is in Jenkins remoting and is triggered by crafted serialized Java input, which can lead to an LDAP lookup to a third-party server and then arbitrary code execution. NVD's affected version ranges cover Jenkins weekly releases up to 2.31 and LTS up to 2.19.2, with an additional Fedora 25 package entry in the CPE criteria.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade Jenkins to a fixed version at or above 2.32 for weekly releases or 2.19.3 for LTS releases.
• Verify all Jenkins controllers and packaged distributions against the affected CPE ranges, including any vendor-packaged builds.
• Review network access from Jenkins to external LDAP or other directory services and restrict unnecessary outbound connectivity.
• Check for exposure of Jenkins remoting interfaces and reduce attack surface where possible.
• Monitor Jenkins security advisories and related vendor notices for remediation guidance and environment-specific packaging updates.

Evidence notes

The core vulnerability details come from the official NVD record and CVE entry. NVD lists the affected Jenkins version ranges as weekly <= 2.31 and LTS <= 2.19.2, and it provides the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The record also includes vendor advisory references from Jenkins/CloudBees dated 2016-11-16 and mailing-list references from 2016-11-12 and 2016-11-14. The description of a crafted serialized Java object triggering an LDAP query is taken from the supplied CVE summary and aligns with the record references.

Official resources