Issue
Parameters aren’t passed to a job if it doesn’t declare them. In your instance logs you can find various warnings like :
WARNING hudson.model.ParametersAction#filter: Skipped parameter `FOO` as it is undefined on `MY_JOB`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach
Environment
-
CloudBees Jenkins Operations Center 1.609.x.y >= 1.609.18.1
-
CloudBees Jenkins Operations Center 1.625.x.y >= 1.625.18.1
-
CloudBees Jenkins Operations Center > 1.625
-
CloudBees Jenkins Enterprise 1.609.x.y >= 1.609.18.1
-
CloudBees Jenkins Enterprise 1.625.x.y >= 1.625.18.1
-
CloudBees Jenkins Enterprise 1.642.x.y >= 1.642.18.1
-
CloudBees Jenkins Enterprise > 1.642
-
Jenkins LTS >= 1.651.2
-
Jenkins >= 2.3
Resolution
-
Update any plugins in your environment which are listed with a fix on this list of impacted plugins.
-
If no fix is currently indicated, please file a bug report if one does not already exist to help ensure that the appropriate plugin maintainer is informed.
Workaround
The fix for SECURITY-170 consists of the following change in Jenkins behavior:
Only build parameters that have been explicitly defined in a job’s configuration will be available by default at build time. Any other arbitrary parameters added to a build by plugins will not be available by default. As there are a number of plugins that rely on the behavior in older Jenkins versions, upgrading to 1.651.2 or 2.3 means that certain build behaviors may be broken.
If a plugin or a job has to trigger jobA
with a parameter Param1
, it is now required to configure jobA
as a parametrized job with Param1
as parameter.
Because various plugins were passing some hidden parameters to their jobs, SECURITY-170 will break them. The following solutions have been put in place as a temporary work-around to give the time to these plugins to be updated to propose a clean solution:
-
Option 1: It’s possible to restore the previous behavior by setting the system property
-Dhudson.model.ParametersAction.keepUndefinedParameters
to true. This is potentially very unsafe and intended as a short-term workaround only.-Dhudson.model.ParametersAction.keepUndefinedParameters=true
-
Option 2: To allow specific, known safe parameter names to be passed to builds, set the system property
-Dhudson.model.ParametersAction.safeParameters
to a comma-separated list of safe parameter names. Example:-Dhudson.model.ParametersAction.safeParameters=FOO,BAR_BAZ,qux
-
Option 3: Set
-Dhudson.model.ParametersAction.keepUndefinedParameters=false
to no longer show these log messages.
Tested product/plugin versions
-
See this list of impacted plugins for status and associated versions which have fixes implemented.
References
SECURITY-170 is discussed in more detail in the following links:
-
CloudBees Jenkins Security Advisory 2016-05-11, Jenkins Security Advisory 2016-05-11: Security Advisory including SECURITY-170