CloudBees is pleased to announce the newest CloudBees CD/RO long-term support (LTS) release. You can find specific information about this release in the following sections:

Starting with this release, Elasticsearch (DOIS) is disabled by default in CloudBees CD/RO Helm charts. This change aligns with the transition to OpenSearch and prevents unnecessary Elasticsearch deployments by default. If you have already migrated to OpenSearch/Analytics for your Kubernetes environment, no action is required.

If you have not yet migrated to OpenSearch/Analytics, refer to the Upgrade notes. Failing to perform these steps before upgrading to v2025.06.0 may result in permanent data loss.

Security fixes

The following security fixes and improvements have been made as part of this release:

ion-java library updated

To address security vulnerabilities, the ion-java library was updated to v1.10.5.

Argo Rollouts updated

To address security vulnerabilities, the kubectl-argo-rollouts version included in agent images was updated to v1.8.2.

Fixed unsanitized request URL input

A path traversal vulnerability was identified, in which unsanitized input from the request URL could be used directly as a file path. This could allow attackers to craft malicious requests that access unauthorized files or directories outside the intended location.

Helm version updated

To address security vulnerabilities, the Helm version included in agent images was updated to v3.18.0.

CloudBees Analytics updated with OpenSearch v2.19.1

To address security issues, OpenSearch was updated in CloudBees Analytics from v2.19.0 to v2.19.1.

Spring Security updated

To address security vulnerabilities, the Spring Security module was updated to v6.4.5.

Apache Commons VFS2 updated

To address security vulnerabilities, Apache Commons VFS2 was updated to v2.10.0.

jsPDF version updated

To address multiple vulnerabilities, the jsPDF library used by CloudBees CD/RO has been updated to v3.0.1.

Ingress-NGINX critical security mitigation

There have been multiple critical security issues reported for Ingress-NGINX v0-v1.12.0. These versions have been included in the default CloudBees CD/RO Helm charts, and may expose you to risks. These include:

CloudBees strongly recommends to immediately upgrade your ingress-nginx controller version to at least v1.12.1 in your values file to address these critical security issues. For more information on upgrading your ingress-nginx controller version, refer to CloudBees CD/RO Ingress-nginx values.

kubectl updated

To address security vulnerabilities, the kubectl version included in agent images was updated to v1.33.0.

Fixed unauthenticated path traversal vulnerability

Fixed path traversal vulnerability that could allow an attacker to read arbitrary files from the server.

New features

The following new features are introduced as part of this release:

Receive email notifications for tasks

You can now configure email notifications for task events, such as start, complete, failure, and abort, within the task options menu in the Notifications tab for given recipients, such as users and groups. Additionally, the default notification email includes event details, such as pipeline, stage and task name and a link to help you quickly navigate to the pipeline run details page.

This email notification is not applicable, and the Notifications tab is not accessible, for Manual type tasks and tasks configured for Manual Retry on Error.
Custom Autoscaling for build resources (Preview feature)

For Kubernetes environments, a new Custom Autoscaling feature has been introduced to automatically scale CloudBees CD/RO build resources based on your environmental load. Using this feature allows build resources to automatically be scaled up and down in configured resource pools.

This feature is a Preview feature.

Feature enhancements

The following feature enhancements have been made as part of this release:

Improved summaries for data retention policy runs

The run summaries for data retention policies have been improved to include specific information about the number of entries that were affected by the job.

Affected object count added to retention policy previews

Data retention policy previews now display the number of objects potentially affected by the policy definition.

Use alternate values file for microservice configurations

By default, the values file located in the same directory path as the microservice Helm chart is used. An option has been added to use an alternate values file located in another directory when configuring the microservice.

Pagination added to data retention policy summaries and previews

You can now navigate the full list of results in a data retention policy summary and previews using the bottom-right page navigation.

CloudBees CD/RO now supports PostgreSQL 17

CloudBees CD/RO has been tested using PostgreSQL 17 and is fully supported. For more information, refer to Supported platforms for CloudBees CD/RO on traditional platforms.

Commander UI pages updated to Flow UI

The following Commander UI pages have been updated to use the Flow UI:

  • Platform homepage  Artifacts

  • Credentials

  • Resources

  • Platform home page  Administration  Plugins

  • Platform home page  Administration  Server

Enhanced Environment Inventory with column reordering, dynamic search, and improved filtering

The Environment Inventory page now applies dynamic searching, enabling real-time filtering of results as you type. Combined with enhanced filter capabilities, multiple filters can now be applied simultaneously to experience faster, more accurate search results across your environment data. The Environment Inventory page also supports drag-and-drop functionality, allowing you to reorder the environment columns for a more personalized view.

Column order resets if you apply a filter, change the page, adjust the page count, or reload the page.
CloudBees CD/RO now supports Windows Server 2022

CloudBees CD/RO has been tested using Windows Server 2022 and is fully supported. For more information, refer to Supported platforms for CloudBees CD/RO on traditional platforms.

Enhanced Environment inventory search

The search field now dynamically displays results as you type, leveraging names to find relevant entries. Any search that requests a specific detail will return all results that match the entered name.

Improved performance of the Releases and Pipeline runs pages

Retrieving and rendering data on the Releases and Pipeline runs pages has been improved to reduce load times and enhance usability. These improvements include:

  • You can now interact with the pages as soon as the list of releases or pipeline runs is displayed, without waiting for all content to load.

  • The count of releases and pagination controls now load asynchronously to speed up initial page rendering.

  • When Expand latest run by default is enabled, or when a pipeline run is manually expanded, the Kanban view shows a contextual loader while waiting for API data without blocking the entire page.

Improved usability for run details on Pipeline runs page

On the Pipeline runs page, run details now render dynamically based on your browser window size. To improve usability, vertical scrolling has been refactored to scroll through the entire pipeline, rather than being limited to individual stages. Additionally, when selecting a deployer task within a stage, the Deployer window opens at the same location.

Kubernetes v1.32 is now supported

CloudBees CD/RO has been tested using Kubernetes v1.32 and is supported for Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE). For more information, refer to Supported platforms for CloudBees CD/RO on Kubernetes.

ElectricFlow API bindings now available via Maven Central

You can now access and integrate CloudBees CD/RO JAR libraries through a centralized Maven repository, which simplifies dependency management and development workflows. The API bindings for the ElectricFlow Java/Groovy library were published to Maven Central (or an equivalent repository). This enables you to use Maven or Gradle to add it as a dependency directly, eliminating the need to upload the library to your own Maven servers.

Resolved issues

The following issues have been resolved as part of this release:

Duplicate ACL entries caused the Background Deleter to fail

Fixed an issue where duplicate ACL entries caused the Background Deleter to fail and prevented project deletion.

Project filter displayed incorrect selected project count

Fixed an issue where, when selecting or deselecting projects in the filter, caused the total count to display incorrect values or reset when scrolling. The project count now accurately reflects the selected projects and remains consistent while scrolling.

SSL Handshake failure resolved

An issue causing SSL protocol failures (e.g., SSL upgrade failed: SSL connect attempt failed error:0A000410:SSL routines::sslv3 alert handshake failure) has been fixed in the product code. This eliminates the need to apply manual workarounds previously required.

Only 20 credentials are listed in Credentials references

An issue was reported that when checking the credentials reference for an object, only the first 20 credentials would be displayed. This issue has been fixed, and now, all credentials for the object are displayed as expected.

Properties were not included in archives for pipelines or releases

Fixed an issue where, when a pipeline or release run was archived through a data retention policy, the archive file did not include the properties associated with the run. Now, the properties for the run are exported to the archive file as expected.

Error message returned for ec-specs dependencies

Due to potential security issues, CloudBees has migrated the archive for the ec-specs JAR to its own dedicated archive repository. If you receive a [ERROR] 503 Service Temporarily Unavailable message, you must update the ec-specs-examples Git repository and recompile your tests.

For more information, refer to ec-specs.

Credentials removed when viewing or updating a procedure

In v2025.03.0, an issue was found where credentials attached to a procedure using Credential type > Attach that were in the same project as the procedure were deleted when viewing or updating a procedure and selecting Save. This issue has now been fixed in v2025.03.1, and these types of credentials are no longer deleted from the procedure.

Attach parameter error is shown for credentials

Fixed an issue where editing a procedure step with an attached credential parameter would return an error for the credential, even if the parameter was not modified.

createMicroservice API fails in ec-groovy

An issue was reported, where when trying to create a microservice using ec-groovy, the createMicroservice API failed, and returned an invalid InvalidName error. This issue has now been fixed, and using ec-groovy with createMicroservice works as expected.

Incorrect URL encoding in EC-Rest

Fixed an issue in the EC-Rest plugin v2.5.7 where URL paths were incorrectly encoded.

Fixed ClassNotFoundException for Bouncy Castle

Fixed an issue where the Java JAR tool would throw a ClassNotFoundException because the Bouncy Castle dependency path was missing. Now, the dependency should be automatically resolved.

Manual steps are not confirmed using smart deploy

An issue was reported, where when running pipelines with manual tasks with smart deploy enabled, manual tasks were not confirmed as expected if the version of the release changed. This issue has been fixed, and smart deploy confirms manual tasks as expected, regardless of version number changes.

Manual plugin installation fails

On Windows, an issue that caused manual plugin installations to fail with a No such file or directory error has been fixed. The installation logic has been updated to ensure compatibility with both Windows and Linux paths.

emailEvent parameter not accepting multiple parameters

An issue was reported where the emailEvent parameter did not accept multiple parameters when using ectool. This issue has been fixed, and now, the emailEvent parameter accepts multiple parameters as expected.

Multibranch Pipeline job triggering fixed for CloudBees CI integrations

Resolved an issue for CloudBees CI integrations that prevented triggering Multibranch Pipeline jobs when using newer versions of CloudBees CI (verified with v2.504.2.5). With this fix, CloudBees CD/RO pipeline tasks now successfully trigger CloudBees CI jobs and complete as expected.

Known issues

The following issues are included as known issues in this release:

MeanLeadTime report does not work correctly without release runs

The MeanLeadTime report does not work correctly when Elasticsearch only has pipeline runs but no release runs.

Data from a custom data retention policy schedule is not purged for single runs

When a custom data retention policy schedule is set to run once, the data is not purged after archiving. To purge data after archiving, use a repeat schedule or the global data retention setting.

Artifacts can’t be transferred across zones using UI

The CloudBees CD/RO UI does not allow you to transfer artifacts across zones.

Using PostgreSQL change tracking may generate errors

When using PostgreSQL with change tracking enabled, EcAuditStrategy errors may appear in the server log. This is a known issue, but is not expected to have any effect on the performance of the system.

Events generated from CloudBees CI create URLs that cause 401 errors

Events that originate from the default CloudBees CI create default configurations. URLs for these new controllers are not Jenkins configured URLs and cause 401 errors.

Process steps modified during runs to be manual will hang

When a process step that is not manual is modified to be manual after the process runs, but before the associated job step evaluated, the step hangs and adds a java.lang.IllegalStateException: Unknown step type: manual exception to the log.

flowRuntime reports existing CloudBees CI job when switching platforms

The flowRuntime response contains hasCIJobs=1 if a release was started from CloudBees CD/RO and the previous release run was triggered within CloudBees CI.

CloudBees CI build logs are not accessible using getCIBuildLog without controller restart

When running getCIBuildLog for a CloudBees CI build, the build log cannot be accessed without restarting the build CloudBees CI controller. As a workaround, restart your CloudBees CI controller, and set up a number of executors, and getCIBuildLog can then be used to access the CloudBees CI build logs.

Catalog item objects cannot end in spaces on Windows agents

On Windows agents, "Export DSL" catalog item fails to export objects that end in spaces.

Undefined parameters returned in CloudBees CI job response

In CloudBees CI job responses, actual parameters are returned that are not defined within the job. Additionally, saving and reloading the tasks doesn’t clear undefined actual parameters.

Multi-select menu options don’t define specific projects of project objects

Currently, if a formal parameter depends on a dropdown menu to get project parameter dependencies for object-like parameters, such as projectName, you can select multiple options in dropdown menus. However, there is only an object name (or list of names in case of multi-select) in the parameter value with no connection to a project and without the ability to identify which object exists in which projects.

CloudBees does not recommend using multi-select options for parameters used as project parameter dependency for object-like parameters when configuring formal parameters. This applies for the following formal parameter types:

  • Application

  • Procedure

  • Pipeline

  • Release

  • Environment

v10.2 and earlier legacy services may cause failed upgrades and break database consistency

Before upgrading from CloudBees CD/RO v10.2 and earlier, if legacy services exist in your system, upgrades may fail and database consistency break. Additionally, even if the upgrade returns successfully, it may still be impossible to run the validateDatabase API.

As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade.

dslsync apply does not delete microservice mapping when source microservice has fewer mappings than target

Mapping for microservices is not deleted when the source microservice contains fewer mappings than the target microservice. This mismatch of microservices occurs when the following actions are performed.

On the DEV server:

  1. A microservice with 1 mapping is modified.

  2. dslsync apply is used promote DEV changes to:

    • DEV Git and CD/RO instances.

    • PROD Git and CD/RO instances.

      Expected/Actual Result: Both DEV and PROD data is synchronized = miroservice with 1 mapping

  3. The microservice is renamed.

  4. dslsync apply is used to promote changes to DEV Git and CD/RO instances.

    Expected/Actual Result: DEV and PROD data is NOT synchronized.

    • DEV = Renamed microservice with 1 mapping.

    • PROD = miroservice with the old name and 1 mapping .

On the PROD server.

  1. Mapping is added to the microservice with the old name. dslsync apply is used to promote changes to PROD Git and CD/RO instances.

    Expected/Actual Result: DEV and PROD data is NOT synchronized.

    • DEV = Renamed microservice with 1 mapping.

    • PROD = miroservice with the old name and 2 mappings.

  2. dslsync apply is used to promote DEV changes to PROD Git and CD/RO instances.

    • Expected Result: Both DEV and PROD data is synchronized = Renamed microservice with 1 mapping

    • Actual Result: Dev and PROD data is NOT synchronized. DEV = Renamed microservice with 1 mapping. PROD = Renamed microservice and 2 mappings.

Kerberos SSO sign-in issues

You may experience SSO sign-in issues when using Kerberos due to a Microsoft known issue.

v10.2 and earlier legacy services may cause failed upgrades and break database consistency

When updating from v10.2 or earlier to v10.3 or later, your upgrade may fail and break database consistency if legacy services or containers exist in your system. Additionally, even if the upgrade completes successfully with legacy services or containers present, it may still be impossible to run the validateDatabase API.

As a workaround, before upgrading from v10.2 and earlier, delete all legacy services and containers, and then perform the upgrade. When upgrading a clustered deployment of CloudBees CD/RO, before running the installer to upgrade, delete the contents inside the broker-data directory, located at <DATA_DIR>/broker-data-<hostname>.

CloudBees Analytics server cannot be configured in legacy UI

On DevOps essentials  Platform Home page  Administration  Analytics server, the message WARNING: 'getDevOpsInsightServerConfiguration' API is deprecated. is displayed, because Elasticsearch is no longer supported. Additionally, it is no longer possible to configure CloudBees Analytics from this page, because it is deprecated and will be removed in a future release.

To configure your CloudBees Analytics server, navigate to Administration  Configuration  Analytics server.

UI settings for Instance header can cause the navigation to disappear after updating

If upgrading from v2023.06.0 or earlier to v2023.10.0 or later, if Administration  Server settings  UI settings  Instance header is Enabled, and has a null value for the UI header label, the navigation may not load after an upgrade.

  • Workaround if you have already upgraded:

    1. Downgrade back to the pre-upgrade version.

    2. Navigate to Administration  Server settings  UI settings and set Instance header to Disabled.

    3. Perform the upgrade again.

  • Workaround if you have not already upgraded:

    • Navigate to Administration  Server settings  UI settings, and either:

      • Set Instance header to Disabled.

      • Set Instance header to Enabled, and add a value in UI header label.

Widget X-axis labels may overlap if a pipeline with only a few runs is returned

In the Pipeline Stats dashboard, if your query returns a pipeline with only a few runs, the widget labels on the X-axis may overlap in some cases, which may cause them to be unreadable. This is issue is fixed once a greater number of results are returned.

Pipeline progress does not update if sub-pipeline restart

When running a pipeline with sub-pipelines, the progress percentage of the main pipeline does not update correctly when a sub-pipeline is restarted.

SyncArtifactVersions procedure completes with success when it should fail

SyncArtifactVersions procedure completes with success, rather than showing a warning, when manifest is missing and overwrite = false.

Automation Platform UI requires artifacts to use English characters in their file names

When you use the Automation Platform UI to upload and publish artifact files with non-English characters in their file names, the operation fails with the following error: Upload file: Exit code 1: ERROR: Publish failure: Unexpected retrieval exception for repository error.

Must restart server to apply LDAP changes

Modifications of LDAP user data (such as email addresses) on an Active Directory server after registration in CloudBees CD/RO do not appear properly in user details (in the Automation Platform UI, the Deploy UI, or ectool) until the CloudBees CD/RO server is restarted.

Not all Elasticsearch operations can be performed in a red state

(Microsoft Windows platforms only) If the Elasticsearch cluster used by CloudBees Analytics is in the red state (meaning that it only partly functions and some data is unavailable), then upgrade, reconfigure, and uninstall operations will not work. Since the Elasticsearch service cannot be stopped when a cluster is in a red state, you must stop the Elasticsearch service process from the task manager before running the installer for these actions.

Microsoft Edge® doesn’t support SAML 2.0

The Microsoft Edge® browser does not work with SAML 2.0 and is missing a self-signed certificate during redirection from the identity provider to the service provider. Microsoft Edge® is not recommended for sign-in via SAML 2.0.

LANG environment variable must be set to en.US.UTF-8

The LANG environment variable must be set to en.US.UTF-8; otherwise, the upgrade fails. Refer to KBEC-00452 - Error installing CloudBees CD/RO 10.0.x when Lang environment variable is different than en.US.UTF-8 for details.

Schedules missing configuration do display runtime error prompts

Error prompts for runtimes started by a schedule are not visible if the schedule was created with a missing configuration.

Changing name in Release Dashboard changes stage status color

The stage inclusion status in the Release Dashboard changes color after a stage is renamed.

Steps that cannot access their child steps are not retried

If an application process step cannot expand to its child steps (because of an invalid run condition or an invalid formal parameter), then the step is not retried even if it uses retry on error error handling. The job eventually completes with an error.

Retry count missing from pipeline runtime page

The retry count for group tasks or rules using automated retry on error is missing from the Pipeline runtime page.

Email notifications are not supported for complex environment mapping

Multiple mapped environments with the same name from different projects are not supported in email notifications.

Path-to-production view missing from imported project

A project import might not include the path-to-production view.

All subreleases must be present to link to a release

All subreleases of a release must appear before the release in the DSL for the release-to-subrelease links to be created.

CloudBees Analytics report editor doesn’t include search by assignee

The ability to search by assignee in a Deployment Report is not available in the CloudBees Analytics report editor.

Additional Release Command Center configurations for Jira

If Release Command Center was set up for Jira for user stories and defects, and the JIRA project name was mapped to the release project name using the field mapping projectName:releaseProjectName, then before upgrading to 10.0, the field mapping must be updated to mention the actual release project name using the following field mapping format: "release-project-name-in-CloudBees CD/RO":releaseProjectName.

Approval by email on manual tasks

Approval by email on manual tasks should not expect parameters.

ectool export and ectool import should only be used between same server versions

If you use the ectool export to export your system configuration from a previous release, and then use ectool import to import the same configuration to a CloudBees CD/RO 10.0 server, some out-of-the-box content introduced in the releases since the version from which the full export was done, such as new or updated plugins, new catalog items, and persona-based menu items, may be missing in the CloudBees CD/RO server UI. It is recommended to use ectool export and ectool import only between servers at the same version.

SSO requires additional PHP configuration

SSO does not work unless PHP configuration is changed due to a security-related request. As a workaround, change session.cookie_samesite to "Strict" in /opt/electriccloud/electriccommander/apache/conf/php.ini and restart the web server.

No UI to run or review pre-v10.1 triggers

CloudBees CD/RO v10.1 introduced new triggers and an updated UI for them. Pre-v10.1 triggers will continue to work but there is no UI to review or run them.

Legacy definitions and references cause unexpected behavior for full data exports

Before using the export command to perform a full data export from the CloudBees CD/RO database, delete any legacy definitions and references to service objects from applications and releases.

Reverting changes is not possible for all objects

You can only revert changes for high-level design objects such as applications procedures, procedure steps, workflow definitions, and state definitions.

Restarting the CloudBees CD/RO server while new records are created for all tracked objects might take at least as long as an export or import of all projects (10 to 40 minutes for a large project).
Recursively traversing nested group hierarchies may cause performance issues

Enabling Recursively Traverse Group Hierarchy might impact system performance when the LDAP group hierarchy is traversed. The amount of impact varies with the configurations of the CloudBees CD/RO and LDAP servers, the depth of group hierarchy in the LDAP server, and the network latency between the servers. Ensure that your directory provider can handle the additional load for supporting nested group hierarchy traversal.

Disabling and re-enabling change tracking may cause performance issues

System performance might decrease if you disable change tracking at the server level and then re-enable it. Change tracking is enabled by default. For details about using change tracking, refer to change tracking.