A remote code execution vulnerability has been identified in the Spring Framework. This vulnerability is identified as CVE-2022-22965. Spring officially reacted early in an early announcement. SpringShell in Jenkins Core and Plugins The Jenkins security team has confirmed that the Spring vulnerability is not affecting Jenkins Core. There is no impact because we are using Stapler as a servlet, and neither Spring MVC nor Spring WebFlux. An analysis was done...

A critical security vulnerability has been identified in the popular "Apache Log4j 2" library. This vulnerability is identified as CVE-2021-44228. Log4j in Jenkins The Jenkins security team has confirmed that Log4j is not used in Jenkins core. Jenkins plugins may be using Log4j. You can identify whether Log4j is included with any plugin by running the following Groovy script in the Script Console: org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource If this results in the following error,...

Earlier this week the Jenkins infrastructure team identified a successful attack against our deprecated Confluence service. We responded immediately by taking the affected server offline while we investigated the potential impact. At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected. Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to...

Background Jenkins custom resources on a Kubernetes cluster are deployed using declarative YAML configuration files; hence some of the plugins declared in these files may contain security warnings. So there is no way for the user to know other than manually checking for each on the site. This project aims to add an extra step of validation before creating/updating a new Jenkins Custom Resource. Deliverables This project aims to...

Context Jenkins is a CI/CD solution and as such, it is critical that the open source plugins that constitute an integral part of it don’t expose the systems they are used on to any security risks and vulnerabilities. It is in that context that we worked as an audit/code review team to track and report such flaws and problematic practices. We worked in collaboration with Jenkins Security...

A little over a month ago, GitHub announced the general availability of its code scanning solution. It’s based on CodeQL, which makes it pretty easy to write queries for it and run them using the CodeQL GitHub action, CodeQL command line tools, or on lgtm.com. Many of the security vulnerabilities discovered in Jenkins plugins are fairly similar to each other, and unfortunately they’re usually specific to...

Eagle-eyed readers of today’s security advisory may already have noticed that we consider the cross-site scripting (XSS) vulnerabilities to be 'High' severity. This is a change from previous security advisories, in which similar vulnerabilities got a 'Medium' score. We follow the guidelines of CVSS version 3.0 for the severity we assign to these issues. Their examples for XSS vulnerabilities, as well as XSS vulnerabilities in other software,...

Azure Key Vault is a product for securely managing keys, secrets and certificates. I’m happy to announce two new features in the Azure Key Vault plugin: a credential provider to tightly link Jenkins and Azure Key Vault. huge thanks to Jie Shen for contributing this integration with the configuration-as-code plugin. These changes were released in v1.8 but make sure to run the latest version of the plugin, there has...

Spotbugs is a utility used in Jenkins and many other Java projects to detect common Java coding mistakes and bugs. It is integrated into the build process to improve the code before it gets merged and released. Findsecbugs is a plugin for Spotbugs that adds 135 vulnerability types focused on the OWASP TOP 10 and the Common Weakness Enumeration (CWE). I’m working on integrating...

Table of Contents The Problem Code Duplication And Security A Branch Is Not A Feature Documentation The Solution Code Duplication And Security A Branch Is Not A Feature Documentation This post will describe some common problems I’ve had with Jenkins and how I solved them by developing Generic Webhook Trigger Plugin. The Problem I was often struggling with the same issues when working with Jenkins: Code duplication and security - Jenkinsfiles in every repository. A branch is...