CloudBees CD/RO v2023.08.1
CloudBees is pleased to announce the v2023.08.1 security patch release of CloudBees CD/RO. With this release, CloudBees has released a fix for a critical vulnerability.
Security fixes
- This release includes the following security updates to address potential vulnerabilities:
CloudBees CD/RO v2023.08.0 contains a critical security vulnerability that could result in attackers:
-
Gaining unauthorized access to sensitive data.
-
Modifying or deleting data in your environment.
-
Deleting instances or disabling agents, causing service disruptions.
This vulnerability has been fixed in v2023.08.1 release. If you are using v2023.08.0, CloudBees recommends immediately upgrading to v2023.08.1.
New features
Refer to CloudBees CD/RO v2023.08.0 New features.
Plugin enhancements
For new bundled plugins, refer to CloudBees CD/RO v2023.08.1 bundled plugin report.
- Plugin Development Kit enhancements
Resolved issues
CDRO-824 |
Security vulnerabilities were identified in how CloudBees CD/RO parsed XML requests related to XML External Entity (XXE) processing. These vulnerabilities could lead to:
|
Installation notes
For a complete list of installation notes, refer to CloudBees CD/RO v2023.08.0 Installation notes.
- CloudBees CD/RO on Kubernetes
CloudBees CD/RO server and agent Helm chart values are publicly available and provide the CloudBees default installation values. The CloudBees CD/RO images.tag
value associated with v2023.08.1 is:
2023.08.1.175835_3.2.51_20240731
- Updated Helm charts
Updated Helm charts are available for CloudBees CD/RO v2023.08.0.
Name | Chart version | App version | Description |
---|---|---|---|
cloudbees/cloudbees-flow |
2.26.1 |
2023.08.1.175835 |
A Helm chart for CloudBees Flow |
cloudbees/cloudbees-flow-agent |
2.26.1 |
2023.08.1.175835 |
A Helm chart for CloudBees Flow Agent |
- CloudBees CD/RO Universal Base Image (UBI)
The actual UBI associated with v2023.08.1 is 9.2-691
.
Known issues
BEE-14581 |
The MeanLeadTime report does not work correctly when Elasticsearch has pipeline runs but no release runs. |
||
BEE-14933 |
The UI does not allow the transfer of artifacts across zones. |
||
BEE-17259 |
When a custom data retention policy schedule is set to run once, the data is not purged after archiving. To purge data after archiving, use a repeat schedule or the global data retention setting. |
||
BEE-20536 |
When using Postgres with change tracking enabled, EcAuditStrategy errors may appear in the server log. This is a known issue, but is not expected to affect system performance. |
||
BEE-27713 |
Events that originate from the default CloudBees CI create default configurations. URLs for these new controllers are not Jenkins configured URLs and cause 401 errors. |
||
BEE-28886 |
You may experience SSO sign-in issues when using Kerberos due to a Microsoft known issue. |
||
BEE-29494 |
When a process step that is not manual is modified to be manual after the process runs but before the associated job step evaluated, the step hangs and adds a |
||
BEE-30080 |
|
||
BEE-35136 |
On Windows agents, Export DSL fails to export objects that end in spaces. |
||
BEE-35271 |
When running |
||
CDRO-257 |
When updating from v10.2 or earlier to v10.3 or later, your upgrade may fail and break database consistency if legacy services or containers exist in your system. Additionally, even if the upgrade completes successfully with legacy services or containers present, it may still be impossible to run the As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade. When upgrading a clustered deployment of CloudBees CD/RO, before running the installer to upgrade, delete the contents inside the |
||
NMB-24734 |
|
||
NMB-24949 |
When you use the Automation Platform UI to upload and publish artifact files with non-English characters in their file names, the operation fails with the following error: |
||
NMB-26021 |
Modifications of LDAP user data (such as email addresses) on an Active Directory server after registration in CloudBees CD/RO do not appear properly in user details (in the Automation Platform UI, the Deploy UI, or |
||
NMB-26962 |
(Microsoft Windows platforms only) If the Elasticsearch cluster used by CloudBees Analytics is in the red state (meaning that it only partly functions and some data is unavailable), then upgrade, reconfigure, and uninstall operations will not work. Since the Elasticsearch service cannot be stopped when a cluster is in a red state, you must stop the Elasticsearch service process from the task manager before running the installer for these actions. |
||
NMB-28135 |
The Microsoft Edge browser does not work with SAML 2.0 and is missing a self-signed certificate during redirection from the identity provider to the service provider. Edge is not recommended for sign-in via SAML 2.0. |
||
NMB-29486 |
The LANG environment variable must be set to |
||
CEV-12363 |
Error prompts for runtimes started by a schedule are not visible if the schedule was created with a missing configuration. |
||
CEV-12429 |
The stage inclusion status in the Release Dashboard changes color after a stage is renamed. |
||
CEV-15122 |
If an application process step cannot expand to its child steps (because of an invalid run condition or an invalid formal parameter), then the step is not retried even if it uses "retry on error" error handling. The job eventually completes with an error. |
||
CEV-15829 |
The retry count for group tasks or rules using "automated retry on error" is missing from the Pipeline runtime page. |
||
CEV-16245 |
Multiple mapped environments with the same name from different projects are not supported in email notifications. |
||
CEV-16250 |
A project import might not include the path-to-production view. |
||
CEV-18531 |
All subreleases of a release must appear before the release in the DSL for the release-to-subrelease link to be created. |
||
CEV-19239 CEV-19259 |
The ability to search by assignee in a Deployment Report is not available in the CloudBees Analytics report editor. |
||
CEV-21426 |
If Release Command Center was set up for JIRA for user stories and defects, and the JIRA project name was mapped to the release project name using the field mapping |
||
CEV-23624 |
Approval by email on manual tasks should not expect parameters. |
||
CEV-25150 |
If you use the |
||
CEV-26700 |
SSO does not work unless PHP configuration is changed due to a security-related request. Workaround: Change |
||
CEV-28704 |
CloudBees CD/RO v10.1 introduced new triggers and an updated UI for them. Pre-v10.1 triggers will continue to work but there is no UI to review or run them. |
||
CEV-28779 |
Before using the export command to perform a full data export from the CloudBees CD/RO database, delete any legacy definitions and references to |
||
N/A |
You can revert changes only for high-level design objects such as applications procedures, procedure steps, workflow definitions, and state definitions.
|
||
N/A |
Enabling Recursively Traverse Group Hierarchy might impact system performance when the LDAP group hierarchy is traversed. The amount of impact varies with the configurations of the CloudBees CD/RO and LDAP servers, the depth of group hierarchy in the LDAP server and the network latency between the servers. Make sure that your directory provider can handle the additional load for supporting nested group hierarchy traversal. |
||
N/A |
System performance might decrease if you disable change tracking at the server level and then re-enable it. Change tracking is enabled by default. For details about using change tracking, refer to change tracking. |