SECURITY-170 Advisory

Issue

Parameters aren’t passed to a job if it doesn’t declare them. In your instance logs you can find various warnings like :

WARNING	hudson.model.ParametersAction#filter: Skipped parameter `FOO` as it is undefined on `MY_JOB`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters`=true to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach

Environment

CloudBees Jenkins Operations Center 1.609.x.y >= 1.609.18.1
CloudBees Jenkins Operations Center 1.625.x.y >= 1.625.18.1
CloudBees Jenkins Operations Center > 1.625
CloudBees Jenkins Enterprise 1.609.x.y >= 1.609.18.1
CloudBees Jenkins Enterprise 1.625.x.y >= 1.625.18.1
CloudBees Jenkins Enterprise 1.642.x.y >= 1.642.18.1
CloudBees Jenkins Enterprise > 1.642
Jenkins LTS >= 1.651.2
Jenkins >= 2.3

Resolution

Update any plugins in your environment which are listed with a fix on this list of impacted plugins.
If no fix is currently indicated, please file a bug report if one does not already exist to help ensure that the appropriate plugin maintainer is informed.

Workaround

The fix for SECURITY-170 consists of the following change in Jenkins behavior:

Only build parameters that have been explicitly defined in a job’s configuration will be available by default at build time. Any other arbitrary parameters added to a build by plugins will not be available by default. As there are a number of plugins that rely on the behavior in older Jenkins versions, upgrading to 1.651.2 or 2.3 means that certain build behaviors may be broken.

If a plugin or a job has to trigger jobA with a parameter Param1, it is now required to configure jobA as a parametrized job with Param1 as parameter.

Because various plugins were passing some hidden parameters to their jobs, SECURITY-170 will break them. The following solutions have been put in place as a temporary work-around to give the time to these plugins to be updated to propose a clean solution:

Option 1: It’s possible to restore the previous behavior by setting the system property -Dhudson.model.ParametersAction.keepUndefinedParameters to true. This is potentially very unsafe and intended as a short-term workaround only.

-Dhudson.model.ParametersAction.keepUndefinedParameters=true
Option 2: To allow specific, known safe parameter names to be passed to builds, set the system property -Dhudson.model.ParametersAction.safeParameters to a comma-separated list of safe parameter names. Example:

-Dhudson.model.ParametersAction.safeParameters=FOO,BAR_BAZ,qux
Option 3: Set -Dhudson.model.ParametersAction.keepUndefinedParameters=false to no longer show these log messages.

Tested product/plugin versions

See this list of impacted plugins for status and associated versions which have fixes implemented.

References

SECURITY-170 is discussed in more detail in the following links:

CloudBees Jenkins Security Advisory 2016-05-11, Jenkins Security Advisory 2016-05-11: Security Advisory including SECURITY-170

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.