CloudBees Jenkins Platform

2 minute read

RELEASED: 2021-11-04

Security fixes

Fixed vulnerabilities in the Jenkins remote communication protocol (SECURITY-2455)

Multiple security vulnerabilities have been identified in the Jenkins protocol that is used for communication between controllers and agents, as well as between the operations center and any connected controllers.

These issues have been resolved in this release. CloudBees recommends that you upgrade as soon as possible or apply a workaround. Please refer to the following knowledge base article for more information:

Improved required role check (SECURITY-2458)

Messages (“Callables”) in the Jenkins protocol that are used for communication between agents, controllers, and the operations center check the role of the current side of the communication channel to determine whether they are allowed to be executed there.

To prevent exploitation of vulnerabilities caused by no-op implementations of this role check, which allow running anywhere in previous releases, any implementation performing a no-op role check will now be rejected.

Please refer to the following knowledge base article for more information:

Non-constant time checking was performed for the controller CasC bundle access token (BEE-8344)

The CasC bundle access token that is used to authenticate the request between the controller and the operations center server was checked in non-constant time, resulting in a potential security vulnerability.

This issue has been resolved. The controller CasC bundle access token is now checked using a constant time comparison.

Upgrade notes

Safely upgrading the Amazon Web Services SDK plugin

The Amazon Web Services (AWS) SDK plugin (aws-java-sdk) was split into multiple fine-grained plugins to reduce the size of the CloudBees Jenkins Platform packages. As a result, it is no longer a part of the CloudBees Assurance Program. The plugin is not automatically uninstalled from your CloudBees Jenkins Platform instance and it could lead to an inconsistent state when you upgrade.

If you perform the installation using CasC and the plugins.yaml file contains aws-java-sdk, the installation will fail. To resolve the failed installation, you must add any plugins that are dependent upon the AWS SDK plugin to the plugins.yaml and the plugin-catalog.yaml files. To avoid upgrade issues, you should use the Plugin Manager to safely upgrade the AWS SDK plugin.