CloudBees CD/RO v2024.09.0

When running objects that contained echo statements, it was possible that internal information about the object could be exposed as part of the echo statement. This behavior has been updated to use static strings instead.

There were multiple HTTP-based parameters that accepted user input that was not sanitized. If exploited, regular expressions could be constructed within the input that could lead to Regular Expression Denial of Service (ReDoS) attacks. These issues have now been fixed, and user input is checked to prevent such exploits.

Security vulnerabilities were identified in how CloudBees CD/RO parsed XML requests related to XML External Entity (XXE) processing. These vulnerabilities could lead to:

Improved handling of how user input is sanitized to help prevent command injection vulnerabilities.

In some cases, it was previously possible for users to assign themselves to arbitrary User groups, which allowed them to inherit the group’s permissions and possibly modify objects without being granted formal permission.

Fixed issue with some objects where users could input data that was not sanitized, which could lead to using path traverse attacks.

Red Hat UBI 9 Minimum used by CloudBees CD/RO containers has been updated to v9.4-1194 to address multiple security vulnerabilities.

The following third-party libraries have been updated to address vulnerabilities:

You can now export Analytics reports in both JSON and XML. Additionally, you have the option to export either the preview data or the complete data set. To export a report, navigate to Analytics reports  REPORT-NAME  Preview, and select the options menu and Export report.

The behavior for ACL permissions on the application-level has been enhanced. You can now perform operations on applications where you have adequate permissions without requiring project-wide permissions.

The Migrate configurations service catalog item, which updates legacy plugin configurations to the new configuration type, now includes the Update configuration path option. Selecting this option updates the plugin configuration value used in all project instances from the specified legacy configuration to the new one.

The flowNameTemplate has been updated to remove an incremental counter that was shared across the server. Using the incremental counter increased wait times when a high volume of pipelines were started simultaneously. The template now uses a unique flow runtime ID, which significantly improves wait times during high-volume periods.

For application snapshots, you can now use basic searches and advanced filtering to refine results.

The behavior of Configurations  CD licenses  Registered Users in Use has been updated to only display the actual number of licensed users, and no longer includes the admin and admin-readonly users within the count.

CloudBees CD/RO agent security recommendations have been updated with details on how to better manage agent permissions and limit privilege escalations. For more information, refer to Agent security recommendations.

Sub-releases manually added in the Kanban view as part of the release definition are now shown in Portfolio lists and in Portfolio basic views.

To improve performance and usability of nested pipelines, stages are no longer automatically marked as Completed in the Release Editor if they are completed.

The Helm version included with CloudBees CD/RO agent images has been updated to v3.15.4.

Within pipelines, when creating a Release type parameter base on another parameter, when you selected New run, you were not able to select the release. This issue has been fixed, and now, you can select the release.

Previously, if a snapshot was bound to a release, and then the release was deleted, you were unable to delete the snapshot. This behavior has been fixed, and now, you can delete the snapshot as expected after deleting the release.

In the dashboards UI, if a widget visualization type was set to Table and the Drill-Down target was not defined, when you hovered over a table value, the value would become underlined and appeared similar to a hyperlink. This behavior has been updated, and now only when it is possible to navigate to an underlying object are the values underlined.

When navigating to Adminstration  Server settings  Artifact management and selecting Artifact Publish from UI  Disable, if you then navigate to DevOps esstentials  Artifact management, the Upload artifact version button could still be selected. Additionally, the There are no Artifact versions. Add one + trigger was also present if no other artifacts had been uploaded.

In a pipeline serial group with two manual approver tasks, if the first passed and second was rejected, and the group was restarted, the first approval was not restarted, but the second was not. However, if both approvals passed on the first attempt, and then you restarted the group, both manual approver tasks are restarted.

Fixed issue where manual tasks with parameters no longer worked, and the pipeline would become blocked, if the definition of the parent pipeline was changed.

Fixed issues causing errors to appear on pages in the legacy UI and in /opt/cloudbees/sda/apache/logs/error.log due to unset or undefined values. The error handling has been updated to prevent undefined index errors by setting default values for the problematic elements.

Fixed issue that cause email notifiers to fail if the creator’s CloudBees CD/RO user account was removed.

When calling sub-procedures based on Master components, properties that were used as input parameters were expanded within the object details when Defer Expansion was enabled. This behavior has been fixed, and these properties are no longer expanded.

Fixed an issue that resulted in the polling trigger failing when Run the trigger for each tag? was left unchecked, and the Tags list contained regular expression patterns.

Fixed an issue with the canary deployment strategy where a microservice deployment was incorrectly promoted despite being aborted at the second pause stage.

Previoulsy, if an AD group name contained a \ (ex: org\users), the group could not be deleted from CloudBees CD/RO. This behavior has been fixed, and now, these groups can be deleted as expected.

When configuring a schedule with a pipeline and then also configuring a release using the same pipeline, if the release was deleted, the schedule for the pipeline was also deleted. This issue has now been fixed, and deleting a release no longer affects schedules associated with the pipeline.

When configuring an Active Directory (AD) for a LDAP provider, if the URL for the provider was incorrect, instead returning an error, ectool calls and UI queries that rely on the connection would timeout. This issue has been fixed, and now, when these types of operations are performed, an error messages is returned if the URL is unreachable.

Fixed issue where, after creating a catalog item, you were not able to select the Add catalog item button.

Previously, if your Analytics reports contained the @timestamp field, they could not be exported by ectool in XML. This behavior has been fixed, and now, reports can be exported using the default command format:

ectool runReport <projectName> <reportName>
▼

ectool --format json runReport <projectName> <reportName>
▼

Fixed issue where JobStep logs were not properly retrieved for Windows agents.

The MeanLeadTime report does not work correctly when Elasticsearch only has pipeline runs but no release runs.

When a custom data retention policy schedule is set to run once, the data is not purged after archiving. To purge data after archiving, use a repeat schedule or the global data retention setting.

The CloudBees CD/RO UI does not allow you to transfer artifacts across zones.

When using PostgreSQL with change tracking enabled, EcAuditStrategy errors may appear in the server log. This is a known issue, but is not expected to have any effect on the performance of the system.

Events that originate from the default CloudBees CI create default configurations. URLs for these new controllers are not Jenkins configured URLs and cause 401 errors.

When a process step that is not manual is modified to be manual after the process runs, but before the associated job step evaluated, the step hangs and adds a java.lang.IllegalStateException: Unknown step type: manual exception to the log.

The flowRuntime response contains hasCIJobs=1 if a release was started from CloudBees CD/RO and the previous release run was triggered within CloudBees CI.

When running getCIBuildLog for a CloudBees CI build, the build log cannot be accessed without restarting the build CloudBees CI controller. As a workaround, restart your CloudBees CI controller, and set up a number of executors, and getCIBuildLog can then be used to access the CloudBees CI build logs.

On Windows agents, "Export DSL" catalog item fails to export objects that end in spaces.

In CloudBees CI job responses, actual parameters are returned that are not defined within the job. Additionally, saving and reloading the tasks doesn’t clear undefined actual parameters.

Currently, if a formal parameter depends on a dropdown menu to get project parameter dependencies for object-like parameters, such as projectName, you can select multiple options in dropdown menus. However, there is only an object name (or list of names in case of multi-select) in the parameter value with no connection to a project and without the ability to identify which object exists in which projects.

Before upgrading from CloudBees CD/RO v10.2 and earlier, if legacy services exist in your system, upgrades may fail and database consistency break. Additionally, even if the upgrade returns successfully, it may still be impossible to run the validateDatabase API.

Mapping for microservices is not deleted when the source microservice contains fewer mappings than the target microservice. This mismatch of microservices occurs when the following actions are performed.

You may experience SSO sign-in issues when using Kerberos due to a Microsoft known issue.

When updating from v10.2 or earlier to v10.3 or later, your upgrade may fail and break database consistency if legacy services or containers exist in your system. Additionally, even if the upgrade completes successfully with legacy services or containers present, it may still be impossible to run the validateDatabase API.

If upgrading from v2023.06.0 or earlier to v2023.10.0 or later, if Administration  Server settings  UI settings  Instance header is Enabled, and has a null value for the UI header label, the navigation may not load after an upgrade.

SyncArtifactVersions procedure completes with success, rather than showing a warning, when manifest is missing and overwrite = false.

When you use the Automation Platform UI to upload and publish artifact files with non-English characters in their file names, the operation fails with the following error: Upload file: Exit code 1: ERROR: Publish failure: Unexpected retrieval exception for repository error.

Modifications of LDAP user data (such as email addresses) on an Active Directory server after registration in CloudBees CD/RO do not appear properly in user details (in the Automation Platform UI, the Deploy UI, or ectool) until the CloudBees CD/RO server is restarted.

(Microsoft Windows platforms only) If the Elasticsearch cluster used by CloudBees Analytics is in the red state (meaning that it only partly functions and some data is unavailable), then upgrade, reconfigure, and uninstall operations will not work. Since the Elasticsearch service cannot be stopped when a cluster is in a red state, you must stop the Elasticsearch service process from the task manager before running the installer for these actions.

The Microsoft Edge® browser does not work with SAML 2.0 and is missing a self-signed certificate during redirection from the identity provider to the service provider. Microsoft Edge® is not recommended for sign-in via SAML 2.0.

The LANG environment variable must be set to en.US.UTF-8; otherwise, the upgrade fails. Refer to KBEC-00452 - Error installing CloudBees CD/RO 10.0.x when Lang environment variable is different than en.US.UTF-8 for details.

Error prompts for runtimes started by a schedule are not visible if the schedule was created with a missing configuration.

The stage inclusion status in the Release Dashboard changes color after a stage is renamed.

If an application process step cannot expand to its child steps (because of an invalid run condition or an invalid formal parameter), then the step is not retried even if it uses retry on error error handling. The job eventually completes with an error.

The retry count for group tasks or rules using automated retry on error is missing from the Pipeline runtime page.

Multiple mapped environments with the same name from different projects are not supported in email notifications.

A project import might not include the path-to-production view.

All subreleases of a release must appear before the release in the DSL for the release-to-subrelease links to be created.

The ability to search by assignee in a Deployment Report is not available in the CloudBees Analytics report editor.

If Release Command Center was set up for Jira for user stories and defects, and the JIRA project name was mapped to the release project name using the field mapping projectName:releaseProjectName, then before upgrading to 10.0, the field mapping must be updated to mention the actual release project name using the following field mapping format: "release-project-name-in-CloudBees CD/RO":releaseProjectName.

Approval by email on manual tasks should not expect parameters.

If you use the ectool export to export your system configuration from a previous release, and then use ectool import to import the same configuration to a CloudBees CD/RO 10.0 server, some out-of-the-box content introduced in the releases since the version from which the full export was done, such as new or updated plugins, new catalog items, and persona-based menu items, may be missing in the CloudBees CD/RO server UI. It is recommended to use ectool export and ectool import only between servers at the same version.

SSO does not work unless PHP configuration is changed due to a security-related request. As a workaround, change session.cookie_samesite to "Strict" in /opt/electriccloud/electriccommander/apache/conf/php.ini and restart the web server.

CloudBees CD/RO v10.1 introduced new triggers and an updated UI for them. Pre-v10.1 triggers will continue to work but there is no UI to review or run them.

Before using the export command to perform a full data export from the CloudBees CD/RO database, delete any legacy definitions and references to service objects from applications and releases.

You can only revert changes for high-level design objects such as applications procedures, procedure steps, workflow definitions, and state definitions.

Enabling Recursively Traverse Group Hierarchy might impact system performance when the LDAP group hierarchy is traversed. The amount of impact varies with the configurations of the CloudBees CD/RO and LDAP servers, the depth of group hierarchy in the LDAP server, and the network latency between the servers. Ensure that your directory provider can handle the additional load for supporting nested group hierarchy traversal.

System performance might decrease if you disable change tracking at the server level and then re-enable it. Change tracking is enabled by default. For details about using change tracking, refer to change tracking.