CVE-2014-3566 "poodle" impact on Jenkins
Another day, another SSL vulnerability! Google has announced a vulnerability in SSL v3, and if you are using the "Winstone" servlet container built into Jenkins, and if you are using the HTTPS connector with the --httpsPort
option (it is off by default), then you are vulnerable to this problem.
I’ve just issued a security advisory on this. If you haven’t already subscribed to the Jenkins security advisory mailing list, this is a great opportunity to do so.
The advisory includes the target delivery vehicles for the fix and how you can address the problem in the mean time. Inside corporate intranet, where Jenkins is typically used, I suppose there’s a degree of trust among participants to make this less of a problem. But if you run an internet facing Jenkins, be sure to deploy the fix.
(And as I write this, I’ve fixed all the https://*.jenkins-ci.org
servers to disable SSLv3, so we are covered there)