Issue
-
The Jenkins controller thread dump shows lots of threads like the following and eventually becomes unresponsive:
Running CpsFlowExecution[Owner[XXXXXXX #X]]" #100000 daemon prio=5 os_prio=0 tid=0x0000000000000000 nid=0x000 runnable [0x000000000000000] java.lang.Thread.State: RUNNABLE at java.util.WeakHashMap.put(WeakHashMap.java:453) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist.reset(ProxyWhitelist.java:123) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist.<init>(ProxyWhitelist.java:75) at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.ProxyWhitelist.<init>(ProxyWhitelist.java:154) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runScript(GroovySandbox.java:160) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:370) [...]
Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
-
Script Security Plugin < 1.78
Explanation
This is caused by a bug in the Script Security plugin that use a WeakHashMap
as a cache when checking on sandboxed script but does not properly handle synchronized access to it. When the issue happens, one thread enters an infinite loop and blocks any following access.
This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.