CloudBees is pleased to announce the newest CloudBees CD/RO long-term support (LTS) release. You can find specific information about this release in the following sections:
Security fixes
The following security fixes and improvements have been made as part of this release:
- Fixed issue that could result in object information exposure
-
When running objects that contained
echo
statements, it was possible that internal information about the object could be exposed as part of theecho
statement. This behavior has been updated to use static strings instead.This issue was fixed for multiple CloudBees CD/RO objects.
- Fixed unsanitized user input that could lead to ReDoS vulnerability
-
There were multiple HTTP-based parameters that accepted user input that was not sanitized. If exploited, regular expressions could be constructed within the input that could lead to Regular Expression Denial of Service (ReDoS) attacks. These issues have now been fixed, and user input is checked to prevent such exploits.
- Fixed XXE authentication issue in CloudBees CD/RO components
-
Security vulnerabilities were identified in how CloudBees CD/RO parsed XML requests related to XML External Entity (XXE) processing. These vulnerabilities could lead to:
-
Unauthorized access to sensitive data.
-
The ability to modify or delete data.
-
The potential to delete instances or disable agents, causing service disruption.
This issue has been fixed, and CloudBees CD/RO now protects against XXE processing.
-
- Fixed possible command injection vulnerability
-
Improved handling of how user input is sanitized to help prevent command injection vulnerabilities.
- Fixed issue with privilege escalation vulnerability
-
In some cases, it was previously possible for users to assign themselves to arbitrary User groups, which allowed them to inherit the group’s permissions and possibly modify objects without being granted formal permission.
- Fixed possible path traverse vulnerability
-
Fixed issue with some objects where users could input data that was not sanitized, which could lead to using path traverse attacks.
- Red Hat UBI updated to address multiple security vulnerabilities
-
Red Hat UBI 9 Minimum used by CloudBees CD/RO containers has been updated to v9.4-1194 to address multiple security vulnerabilities.
- Updated third-party libraries to address vulnerabilities
-
The following third-party libraries have been updated to address vulnerabilities:
-
httpd has been updated to v2.4.60.
-
PHP has been updated to v8.1.29.
-
New features
The following new features are introduced as part of this release:
- Analytics reports can be exported in JSON and XML from UI
-
You can now export Analytics reports in both JSON and XML. Additionally, you have the option to export either the preview data or the complete data set. To export a report, navigate to options menu and Export report.
, and select theWhen exporting the full data, OpenSearch has a document limit of 10,000.
Feature enhancements
The following feature enhancements have been made as part of this release:
- Allow localized permissions for application operations
-
The behavior for ACL permissions on the application-level has been enhanced. You can now perform operations on applications where you have adequate permissions without requiring project-wide permissions.
- Replace instances of legacy configurations with new configurations during migration
-
The Migrate configurations service catalog item, which updates legacy plugin configurations to the new configuration type, now includes the Update configuration path option. Selecting this option updates the plugin configuration value used in all project instances from the specified legacy configuration to the new one.
Running the Migrate configurations service catalog item, with the Update configuration path option enabled, updates all instances of legacy plugin configurations in all project objects. This action cannot be undone except through manual effort. For further information, refer to Migrating your plugin configurations.
- Improved performance of the Flow name template
-
The
flowNameTemplate
has been updated to remove an incremental counter that was shared across the server. Using the incremental counter increased wait times when a high volume of pipelines were started simultaneously. The template now uses a unique flow runtime ID, which significantly improves wait times during high-volume periods.
- Search and filter for application snapshots
-
For application snapshots, you can now use basic searches and advanced filtering to refine results.
- Improved the user count behavior displayed in UI
-
The behavior of
has been updated to only display the actual number of licensed users, and no longer includes theadmin
andadmin-readonly
users within the count.
- CloudBees CD/RO agent security recommendations have been updated
-
CloudBees CD/RO agent security recommendations have been updated with details on how to better manage agent permissions and limit privilege escalations. For more information, refer to Agent security recommendations.
- Sub-releases are now visible in Portfolio list and views
-
Sub-releases manually added in the Kanban view as part of the release definition are now shown in Portfolio lists and in Portfolio basic views.
- Stages are no longer automatically marked complete in Release Editor
-
To improve performance and usability of nested pipelines, stages are no longer automatically marked as
Completed
in the Release Editor if they are completed.You can still manually mark stages as Complete
andIncomplete
.
- Helm version updated for CloudBees CD/RO agents
-
The Helm version included with CloudBees CD/RO agent images has been updated to v3.15.4.
Resolved issues
The following issues have been resolved as part of this release:
- Not able to select Release type parameter in new pipeline run
-
Within pipelines, when creating a Release type parameter base on another parameter, when you selected New run, you were not able to select the release. This issue has been fixed, and now, you can select the release.
- Not able to delete snapshot after binding it to a release that was deleted
-
Previously, if a snapshot was bound to a release, and then the release was deleted, you were unable to delete the snapshot. This behavior has been fixed, and now, you can delete the snapshot as expected after deleting the release.
- Updated UI to avoid dashboard elements appearing as hyperlinks when drill-down target is undefined
-
In the dashboards UI, if a widget visualization type was set to Table and the Drill-Down target was not defined, when you hovered over a table value, the value would become underlined and appeared similar to a hyperlink. This behavior has been updated, and now only when it is possible to navigate to an underlying object are the values underlined.
- Disabling publishing artifacts from UI does not hide related UI options
-
When navigating to
and selecting , if you then navigate to , the Upload artifact version button could still be selected. Additionally, the There are no Artifact versions. Add one + trigger was also present if no other artifacts had been uploaded.The usability of this feature has been improved, and now, when you select
the Upload artifact version button and There are no Artifact versions. Add one + trigger are no longer present. Additionally, on the popup, the Publish Artifact Version is also hidden when is configured.
- Pipeline groups with two manual approver steps not working as expected when restarting group
-
In a pipeline serial group with two manual approver tasks, if the first passed and second was rejected, and the group was restarted, the first approval was not restarted, but the second was not. However, if both approvals passed on the first attempt, and then you restarted the group, both manual approver tasks are restarted.
This behavior has been updated for consistent usability. Now, if restarting the group within the UI all task within the serial group are restarted. If restarting the serial group via
ectool restartPipelineRun
, you can now use the--fromFailure <0|1|true|false>
argument to start the group from the first failure in the group.
- Fixed manual tasks with parameters not working if pipeline definition changed
-
Fixed issue where manual tasks with parameters no longer worked, and the pipeline would become blocked, if the definition of the parent pipeline was changed.
- Update error handling for undefined and null values in legacy UI
-
Fixed issues causing errors to appear on pages in the legacy UI and in
/opt/cloudbees/sda/apache/logs/error.log
due to unset or undefined values. The error handling has been updated to prevent undefined index errors by setting default values for the problematic elements.
- Fixed issue for email notifiers when creator is removed as user
-
Fixed issue that cause email notifiers to fail if the creator’s CloudBees CD/RO user account was removed.
- Fixed default properties being expanded from Master components within sub-procedures
-
When calling sub-procedures based on Master components, properties that were used as input parameters were expanded within the object details when Defer Expansion was enabled. This behavior has been fixed, and these properties are no longer expanded.
- Fixed polling trigger failure for tags lists that used regular expressions
-
Fixed an issue that resulted in the polling trigger failing when Run the trigger for each tag? was left unchecked, and the Tags list contained regular expression patterns.
- Fixed kubectl-based microservice deployments being incorrectly promoted
-
Fixed an issue with the canary deployment strategy where a microservice deployment was incorrectly promoted despite being aborted at the second pause stage.
- AD groups with
\
in the name cannot be deleted -
Previoulsy, if an AD group name contained a
\
(ex:org\users
), the group could not be deleted from CloudBees CD/RO. This behavior has been fixed, and now, these groups can be deleted as expected.
- Deleting a release with a pipeline would delete schedules associated with the pipeline
-
When configuring a schedule with a pipeline and then also configuring a release using the same pipeline, if the release was deleted, the schedule for the pipeline was also deleted. This issue has now been fixed, and deleting a release no longer affects schedules associated with the pipeline.
- Incorrect AD LDAP provider URL causes timeout instead of failure
-
When configuring an Active Directory (AD) for a LDAP provider, if the URL for the provider was incorrect, instead returning an error,
ectool
calls and UI queries that rely on the connection would timeout. This issue has been fixed, and now, when these types of operations are performed, an error messages is returned if the URL is unreachable.
- Add catalog item button is disable after creating a catalog item
-
Fixed issue where, after creating a catalog item, you were not able to select the Add catalog item button.
- Analytics reports that contain
@timestamp
can now be exported in XML -
Previously, if your Analytics reports contained the
@timestamp
field, they could not be exported byectool
in XML. This behavior has been fixed, and now, reports can be exported using the default command format:ectool runReport <projectName> <reportName>
To export reports in JSON, you can use:
ectool --format json runReport <projectName> <reportName>
- JobStep log was not retrieved for Windows agents
-
Fixed issue where JobStep logs were not properly retrieved for Windows agents.
Known issues
The following issues are included as known issues in this release:
MeanLeadTime
report does not work correctly without release runs-
The
MeanLeadTime
report does not work correctly when Elasticsearch only has pipeline runs but no release runs.
- Data from a custom data retention policy schedule is not purged for single runs
-
When a custom data retention policy schedule is set to run once, the data is not purged after archiving. To purge data after archiving, use a repeat schedule or the global data retention setting.
- Artifacts can’t be transferred across zones using UI
-
The CloudBees CD/RO UI does not allow you to transfer artifacts across zones.
- Using PostgreSQL change tracking may generate errors
-
When using PostgreSQL with change tracking enabled,
EcAuditStrategy
errors may appear in the server log. This is a known issue, but is not expected to have any effect on the performance of the system.
- Events generated from CloudBees CI create URLs that cause 401 errors
-
Events that originate from the default CloudBees CI create default configurations. URLs for these new controllers are not Jenkins configured URLs and cause 401 errors.
- Process steps modified during runs to be manual will hang
-
When a process step that is not manual is modified to be manual after the process runs, but before the associated job step evaluated, the step hangs and adds a
java.lang.IllegalStateException: Unknown step type: manual exception
to the log.
flowRuntime
reports existing CloudBees CI job when switching platforms-
The
flowRuntime
response containshasCIJobs=1
if a release was started from CloudBees CD/RO and the previous release run was triggered within CloudBees CI.
- CloudBees CI build logs are not accessible using
getCIBuildLog
without controller restart -
When running
getCIBuildLog
for a CloudBees CI build, the build log cannot be accessed without restarting the build CloudBees CI controller. As a workaround, restart your CloudBees CI controller, and set up a number of executors, andgetCIBuildLog
can then be used to access the CloudBees CI build logs.
- Catalog item objects cannot end in spaces on Windows agents
-
On Windows agents, "Export DSL" catalog item fails to export objects that end in spaces.
- Undefined parameters returned in CloudBees CI job response
-
In CloudBees CI job responses, actual parameters are returned that are not defined within the job. Additionally, saving and reloading the tasks doesn’t clear undefined actual parameters.
- Multi-select menu options don’t define specific projects of project objects
-
Currently, if a formal parameter depends on a dropdown menu to get project parameter dependencies for object-like parameters, such as
projectName
, you can select multiple options in dropdown menus. However, there is only an object name (or list of names in case of multi-select) in the parameter value with no connection to a project and without the ability to identify which object exists in which projects.CloudBees does not recommend using multi-select options for parameters used as project parameter dependency for object-like parameters when configuring formal parameters. This applies for the following formal parameter types:
-
Application
-
Procedure
-
Pipeline
-
Release
-
Environment
-
- v10.2 and earlier legacy services may cause failed upgrades and break database consistency
-
Before upgrading from CloudBees CD/RO v10.2 and earlier, if legacy services exist in your system, upgrades may fail and database consistency break. Additionally, even if the upgrade returns successfully, it may still be impossible to run the
validateDatabase
API.As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade.
dslsync apply
does not delete microservice mapping when source microservice has fewer mappings than target-
Mapping for microservices is not deleted when the source microservice contains fewer mappings than the target microservice. This mismatch of microservices occurs when the following actions are performed.
On the DEV server:
-
A microservice with 1 mapping is modified.
-
dslsync apply
is used promote DEV changes to:-
DEV Git and CD/RO instances.
-
PROD Git and CD/RO instances.
Expected/Actual Result: Both DEV and PROD data is synchronized = miroservice with 1 mapping
-
-
The microservice is renamed.
-
dslsync apply
is used to promote changes to DEV Git and CD/RO instances.Expected/Actual Result: DEV and PROD data is NOT synchronized.
-
DEV = Renamed microservice with 1 mapping.
-
PROD = miroservice with the old name and 1 mapping .
-
On the PROD server.
-
Mapping is added to the microservice with the old name.
dslsync apply
is used to promote changes to PROD Git and CD/RO instances.Expected/Actual Result: DEV and PROD data is NOT synchronized.
-
DEV = Renamed microservice with 1 mapping.
-
PROD = miroservice with the old name and 2 mappings.
-
-
dslsync apply
is used to promote DEV changes to PROD Git and CD/RO instances.-
Expected Result: Both DEV and PROD data is synchronized = Renamed microservice with 1 mapping
-
Actual Result: Dev and PROD data is NOT synchronized. DEV = Renamed microservice with 1 mapping. PROD = Renamed microservice and 2 mappings.
-
- Kerberos SSO sign-in issues
-
You may experience SSO sign-in issues when using Kerberos due to a Microsoft known issue.
- v10.2 and earlier legacy services may cause failed upgrades and break database consistency
-
When updating from v10.2 or earlier to v10.3 or later, your upgrade may fail and break database consistency if legacy services or containers exist in your system. Additionally, even if the upgrade completes successfully with legacy services or containers present, it may still be impossible to run the
validateDatabase
API.As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade. When upgrading a clustered deployment of CloudBees CD/RO, before running the installer to upgrade, delete the contents inside the
broker-data
directory, located at<DATA_DIR>/broker-data-<hostname>
.
- CloudBees Analytics server cannot be configured in legacy UI
-
On
, the messageWARNING: 'getDevOpsInsightServerConfiguration' API is deprecated.
is displayed, because Elasticsearch is no longer supported. Additionally, it is no longer possible to configure CloudBees Analytics from this page, because it is deprecated and will be removed in a future release.To configure your CloudBees Analytics server, navigate to
.
- UI settings for Instance header can cause the navigation to disappear after updating
-
If upgrading from v2023.06.0 or earlier to v2023.10.0 or later, if
is Enabled, and has anull
value for the UI header label, the navigation may not load after an upgrade.-
Workaround if you have already upgraded:
-
Downgrade back to the pre-upgrade version.
-
Navigate to
and set Instance header to Disabled. -
Perform the upgrade again.
-
-
Workaround if you have not already upgraded:
-
Navigate to
, and either:-
Set Instance header to Disabled.
-
Set Instance header to Enabled, and add a value in UI header label.
-
-
-
- Catalog item parameters with dynamic default values are not populated automatically
-
In the Service catalog, for catalog item parameters with dynamic default values based on dependencies to another parameter, the default values are not automatically populated when the dependency is initially selected. However, the default values are automatically populated after selecting the dependency default value the second time.
Workaround: Select the dependency value and allow the page to reload, and then select the dependency value a second time. This should populate the remaining item parameters with dynamic default values.
SyncArtifactVersions
procedure completes with success when it should fail-
SyncArtifactVersions
procedure completes with success, rather than showing a warning, when manifest is missing andoverwrite = false
.
- Automation Platform UI requires artifacts to use English characters in their file names
-
When you use the Automation Platform UI to upload and publish artifact files with non-English characters in their file names, the operation fails with the following error:
Upload file: Exit code 1: ERROR: Publish failure: Unexpected retrieval exception for repository error
.
- Must restart server to apply LDAP changes
-
Modifications of LDAP user data (such as email addresses) on an Active Directory server after registration in CloudBees CD/RO do not appear properly in user details (in the Automation Platform UI, the Deploy UI, or
ectool
) until the CloudBees CD/RO server is restarted.
- Not all Elasticsearch operations can be performed in a red state
-
(Microsoft Windows platforms only) If the Elasticsearch cluster used by CloudBees Analytics is in the red state (meaning that it only partly functions and some data is unavailable), then upgrade, reconfigure, and uninstall operations will not work. Since the Elasticsearch service cannot be stopped when a cluster is in a red state, you must stop the Elasticsearch service process from the task manager before running the installer for these actions.
- Microsoft Edge® doesn’t support SAML 2.0
-
The Microsoft Edge® browser does not work with SAML 2.0 and is missing a self-signed certificate during redirection from the identity provider to the service provider. Microsoft Edge® is not recommended for sign-in via SAML 2.0.
- LANG environment variable must be set to
en.US.UTF-8
-
The LANG environment variable must be set to
en.US.UTF-8
; otherwise, the upgrade fails. Refer to KBEC-00452 - Error installing CloudBees CD/RO 10.0.x when Lang environment variable is different than en.US.UTF-8 for details.
- Schedules missing configuration do display runtime error prompts
-
Error prompts for runtimes started by a schedule are not visible if the schedule was created with a missing configuration.
- Changing name in Release Dashboard changes stage status color
-
The stage inclusion status in the Release Dashboard changes color after a stage is renamed.
- Steps that cannot access their child steps are not retried
-
If an application process step cannot expand to its child steps (because of an invalid run condition or an invalid formal parameter), then the step is not retried even if it uses
retry on error
error handling. The job eventually completes with an error.
- Retry count missing from pipeline runtime page
-
The retry count for group tasks or rules using
automated retry on error
is missing from the Pipeline runtime page.
- Email notifications are not supported for complex environment mapping
-
Multiple mapped environments with the same name from different projects are not supported in email notifications.
- Path-to-production view missing from imported project
-
A project import might not include the path-to-production view.
- All subreleases must be present to link to a release
-
All subreleases of a release must appear before the release in the DSL for the release-to-subrelease links to be created.
- CloudBees Analytics report editor doesn’t include search by assignee
-
The ability to search by assignee in a Deployment Report is not available in the CloudBees Analytics report editor.
- Additional Release Command Center configurations for Jira
-
If Release Command Center was set up for Jira for user stories and defects, and the JIRA project name was mapped to the release project name using the field mapping
projectName:releaseProjectName
, then before upgrading to 10.0, the field mapping must be updated to mention the actual release project name using the following field mapping format:"release-project-name-in-CloudBees CD/RO":releaseProjectName
.
- Approval by email on manual tasks
-
Approval by email on manual tasks should not expect parameters.
ectool export
andectool import
should only be used between same server versions-
If you use the
ectool export
to export your system configuration from a previous release, and then useectool import
to import the same configuration to a CloudBees CD/RO 10.0 server, some out-of-the-box content introduced in the releases since the version from which the full export was done, such as new or updated plugins, new catalog items, and persona-based menu items, may be missing in the CloudBees CD/RO server UI. It is recommended to useectool export
andectool import
only between servers at the same version.
- SSO requires additional PHP configuration
-
SSO does not work unless PHP configuration is changed due to a security-related request. As a workaround, change
session.cookie_samesite
to"Strict"
in/opt/electriccloud/electriccommander/apache/conf/php.ini
and restart the web server.
- No UI to run or review pre-v10.1 triggers
-
CloudBees CD/RO v10.1 introduced new triggers and an updated UI for them. Pre-v10.1 triggers will continue to work but there is no UI to review or run them.
- Legacy definitions and references cause unexpected behavior for full data exports
-
Before using the export command to perform a full data export from the CloudBees CD/RO database, delete any legacy definitions and references to
service
objects from applications and releases.
- Reverting changes is not possible for all objects
-
You can only revert changes for high-level design objects such as applications procedures, procedure steps, workflow definitions, and state definitions.
Restarting the CloudBees CD/RO server while new records are created for all tracked objects might take at least as long as an export or import of all projects (10 to 40 minutes for a large project).
- Recursively traversing nested group hierarchies may cause performance issues
-
Enabling Recursively Traverse Group Hierarchy might impact system performance when the LDAP group hierarchy is traversed. The amount of impact varies with the configurations of the CloudBees CD/RO and LDAP servers, the depth of group hierarchy in the LDAP server, and the network latency between the servers. Ensure that your directory provider can handle the additional load for supporting nested group hierarchy traversal.
- Disabling and re-enabling change tracking may cause performance issues
-
System performance might decrease if you disable change tracking at the server level and then re-enable it. Change tracking is enabled by default. For details about using change tracking, refer to change tracking.