CloudBees Jenkins Distribution 2.190.3.2

RELEASED: Public: 2019-11-21

Based on Jenkins LTS2.190.3-cb-1

Rolling release

+ This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

New features

Resolved issues

  • CloudBees Nodes Plus Plugin unrelated exception issue (CTR-761)

    When the user set a 'blank' probe command for a node, an odd and unrelated exception was shown in the logs. With this fix, a blank command is treated as a command failure, and the cause is displayed in the node monitor and in the logs.

  • CloudBees RBAC Plugin XSS issue (CTR-735)

    Stored XSS could have been submitted on group description, and anyone who checked the group description via tooltip would then trigger an XSS. With this fix, we now use MarkupFormatter to transform the content of the group’s description depending on what is configured in the Global Security section.

  • Operations Center Context Plugin XSS issue (CTR-760)

    An XSS vulnerability was possible when an item with a malicious display name was shown in the Move/Copy/Promote browser bar. With this fix, user input is sanitized before adding it to the HTML source, preventing an XSS vulnerability.

  • Operations Center Agent Plugin ClassicConnector issue (CTR-410)

    In some cases, when the connection between master and OC failed, it was retried with a deprecated and insecure connector (ClassicConnector). With this fix, we have disabled ClassicConnector (by default), so it’s not used.

  • Jira Plugin upgrade (NGPIPELINE-743, -733)

    The previously provided version of the Jira plugin, 3.0.9, bundled Jackson 1.x in its dependencies which made it vulnerable to CVE-2017-7525. The upgrade to Jira plugin version 3.0.10 excludes these Jackson libraries.

  • Improve Configuration as Code support (FNDJEN-1067)

    Configuration as Code compatibility has been improved so that CloudBees Jenkins Advisor data can be imported and exported.

Known issues

  • Under certain circumstances, Jenkins may “hang” with the following conditions:

    • The Jenkins java process is running in a waiting state.

    • Jenkins is effectively down.

    • Nothing is logged.

    Sometimes, after numerous restarts, the Jenkins service may start up again normally.

    The root cause for this issue is that the Jenkins service hangs immediately before it forks the child process that starts Jetty and Jenkins. Although the Java process is running, nothing is logged, because Jenkins has not yet started and is not yet listening on any port.

    NOTE: This issue affects a very small number of CloudBees customers. You only need to take action if you are directly affected by this issue: if you are not experiencing this issue, no action is necessary.

    A workaround is available in the CloudBees Support Knowledge Base article Jenkins intermittently fails to restart on RHEL 7 and CentOS 7.

  • Kubernetes plugin was not pre-installed for version 2.176.2.3, 2.176.3.2, 2.190.3.2, 2.176.3.3, 2.176.4.3, 2.190.2.2, 2.190.3.2, and 2.204.1.3 (FNDJEN-1825)

    Kubernetes and suggested plugins are now preinstalled by default starting with version 2.204.2.2.