Issue
-
After applying the long term fix for the Jenkins security issue SECURITY-2349/CVE-2021-21648(security advisory), I want to remove the short-term mitigation from my controller(s) and Operations Center.
Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
-
CloudBees Jenkins Enterprise - Managed controller
-
CloudBees Jenkins Enterprise - Operations center
Resolution
Removing mitigation on an Operations Center or a Standalone Controller
-
Go to Manage Jenkins -> Configure System.
-
Scroll down to Request Filtering.
-
Locate the rule where the URI pattern is
.[/\\]upload[/\\].("|%22).[/\\](upload|complete).
-
Click the Delete button to the lower right of the rule to delete it.
-
Select Save.
Removing mitigation on Controllers in an Operations Center cluster
In any clustered environment with an Operations Center and Controllers connected to it, you will need to remove the mitigation on the CloudBees Operations Center (see Removing mitigation on an Operations Center or a Standalone Controller), as well as on the Controllers that are managed by the Operations Center as explained below:
To remove the mitigation on multiple controllers managed by a CloudBees Operations Center, you can use a Cluster Operation.
Note: Controllers must be Running and Connected for the Cluster Operation to be successful and correctly apply the change.
To create and configure a cluster operation:
-
On your operations center, click
New Item
and chooseCluster Operations
, and choose a name of your choice (such asRemove mitigation for SECURITY-2349 on all online controllers
). -
In Target Managed controllers, add the controllers upon which you want to remove the mitigation (such as
From Operations Center Root
). -
Under
Filters
, clickAdd Filter
and chooseClient Controller / Managed Controller Is Online
. -
Under
Steps
, clickAdd Step
and chooseExecute Groovy Script on Controller
. Enter the following script:import com.cloudbees.jenkins.plugins.requestfilter.* String mitigationPattern = '.*[/\\\\]upload[/\\\\].*("|%22).*[/\\\\](upload|complete).*' // reinstantiation needed because emptyList() is immutable List<Rule> existingRules = new ArrayList(Rules.get().getRules()) int oldCount = existingRules.size existingRules.removeAll { rule -> rule.pattern.contains(mitigationPattern) } if (oldCount - existingRules.size > 0) { println 'Mitigation pattern found. Removing.' Rules.get().setRules(existingRules) } else { println 'Mitigation pattern not found. No changes are made.' }
-
Select Save and Run.