How to remove short-term mitigation for the Jenkins security issue SECURITY-2349/CVE-2021-21648

Article ID:4402611630605
2 minute readKnowledge base

Issue

  • After applying the long term fix for the Jenkins security issue SECURITY-2349/CVE-2021-21648(security advisory), I want to remove the short-term mitigation from my controller(s) and Operations Center.

Environment

Resolution

Removing mitigation on an Operations Center or a Standalone Controller

  1. Go to Manage Jenkins -> Configure System.

  2. Scroll down to Request Filtering.

  3. Locate the rule where the URI pattern is .[/\\]upload[/\\].("|%22).[/\\](upload|complete).

  4. Click the Delete button to the lower right of the rule to delete it.

  5. Select Save.

Removing mitigation on Controllers in an Operations Center cluster

In any clustered environment with an Operations Center and Controllers connected to it, you will need to remove the mitigation on the CloudBees Operations Center (see Removing mitigation on an Operations Center or a Standalone Controller), as well as on the Controllers that are managed by the Operations Center as explained below:

To remove the mitigation on multiple controllers managed by a CloudBees Operations Center, you can use a Cluster Operation.

Note: Controllers must be Running and Connected for the Cluster Operation to be successful and correctly apply the change.

To create and configure a cluster operation:

  1. On your operations center, click New Item and choose Cluster Operations, and choose a name of your choice (such as Remove mitigation for SECURITY-2349 on all online controllers).

  2. In Target Managed controllers, add the controllers upon which you want to remove the mitigation (such as From Operations Center Root).

  3. Under Filters, click Add Filter and choose Client Controller / Managed Controller Is Online.

  4. Under Steps, click Add Step and choose Execute Groovy Script on Controller. Enter the following script:

     import com.cloudbees.jenkins.plugins.requestfilter.*

 String mitigationPattern = '.*[/\\\\]upload[/\\\\].*("|%22).*[/\\\\](upload|complete).*'
 // reinstantiation needed because emptyList() is immutable
 List<Rule> existingRules = new ArrayList(Rules.get().getRules())
 int oldCount = existingRules.size
 existingRules.removeAll { rule -> rule.pattern.contains(mitigationPattern) }
 if (oldCount - existingRules.size > 0) {
     println 'Mitigation pattern found. Removing.'
     Rules.get().setRules(existingRules)
 } else {
     println 'Mitigation pattern not found. No changes are made.'
 }

  5. Select Save and Run.