Environment
-
CloudBees Jenkins Enterprise 2.32.2.1
-
CloudBees Jenkins Enterprise 2.7.22.0.1
-
CloudBees Jenkins Enterprise 1.651.22.1
-
CloudBees Jenkins Operations Center 2.32.2.1
-
CloudBees Jenkins Operations Center 1.625.22.1
Resolution
Console notes security fix
Console notes, the often bold or colored additions to build logs by plugins such as Timestamper or AnsiColor, that were created before you upgrade to versions specified above or 2.32.2 will no longer be loaded for security reasons.
To restore the previous (unsafe) behavior, set the system property hudson.console.ConsoleNote.INSECURE
to true
as described on this wiki page.
Maven projects in Maven Integration Plugin 2.14 and earlier that use Maven 3.0.x to build will create console notes that can no longer be read by Jenkins, therefore parts of their build output will not be colored/bold. This does not affect freestyle projects.
New encrypted secrets format
Encrypted secrets are now AES-128 CBC with random IV instead of AES-128 ECB without IV. Therefore the format of encrypted secrets has been changed. While existing secrets can still be read, saving configuration files will result in re-encryption of stored secrets in the new format.
Re-keying backup files removed
Re-keying, a process implemented for the Jenkins 1.480.2 security update, and performed only when upgrading Jenkins from versions 1.480.1 or 1.497 or earlier, left behind backup files with no restrictive file access permissions. On the first restart after applying the 2.32.2 update, Jenkins will remove these backup files, if present.
If you were relying on file system permissions to protect secrets stored in Jenkins, and are operating an instance that originally was running Jenkins 1.480.1 or 1.497 (or earlier), consider changing any secrets that were stored in Jenkins then.
If you are relying on file system permissions to protect secrets stored in your Jenkins home directory backups, it is recommended that you remove the directory JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups
from all backups.
Remoting denylist addition
The remoting denylist of classes prohibited from being used in XStream and Java object serialization has been extended. These entries were added:
^javax[.]imageio[.].* ^java[.]util[.]ServiceLoader$ ^java[.]net[.]URLClassLoader$
No legitimate use of these types is expected, but possible. The possible alternative of disabling the CLI via HTTP and JNLP agent port to prevent its unauthenticated use still applies.
User creation via GET no longer possible
Jenkins administrators were able to create users by accessing the URL /user/example
. Doing so would create (for this URL) a new user with the ID example
, if it did not exist before.
While convenient, this constitutes a cross-site request forgery vulnerability, as Jenkins administrators may be tricked into creating hundreds of (not always ephemeral) users. Therefore this feature has been removed.
When using the internal Jenkins user database, new users can be created via Manage Jenkins » Manage Users instead.
To restore the previous (unsafe) behavior, set the system property hudson.model.User.allowUserCreationViaUrl
to true
as described on this wiki page.
Beekeeper Issues when upgrading from 2.32.1.1
In some cases, if an upgrade is performed from 2.32.1.1 to 2.32.2.1 (not happening from previous versions) Beekeeper may show an error. If this happens, or the log contains a line like:
SEVERE c.c.j.p.u.envelope.LoggerLog#log: Product xxx upgrade from 2.32.1.1 to 2.32.2.1 detected but upgrades are disabled
Please perform the following actions:
In the Script Console
execute:
import java.io.File; def f = new File(Jenkins.instance.root, "cb-envelope" + File.separator + "upgrade.disabled") println "Looking for " + f if (f.exists()) { println "File exists. Deleting it." f.delete(); } else { println "File does not exist." }
And restart the instance.