New features

Insufficient privileges on installation (CPLT2-6065)

In some environments users did not have sufficient privileges during installation to create ClusterRoles or ClusterRoleBindings.

To address this, it is now possible to use a custom Helm values file to specify whether or not Cluster-level RBAC objects are installable.

Sidecar-injector Helm chart and YAML (CPLT2-6067)

CloudBees Core for Modern Cloud Platforms now features the sidecar-injector Helm chart and Include YAML for sidecar-injector in the YAML distribution.

Improve getClusterId (CPLT2-6002)

We’ve reworked the logic for getClusterId to better handle multiple instances.

Support added for Red Hat OpenShift Container Platform (OCP) 4.x

Red Hat OCP 3.x is supported starting with version 3.11. Starting with CloudBees Core on modern cloud platforms version, OCP 4.x is supported starting with version 4.1.

  • The following plugins have been removed: One-Shot Executor, Palace Cloud Plugin, PAM Authentication Plugin, PSE Tenant Plugin

Resolved issues

Remove the default-java pod template (CPLT2-6040)

CloudBees Jenkins Operations Center previously defined a Kubernetes shared cloud with a default-java pod template. This template was unnecessary and interfered with attempts to define Windows-based pods.

This has been addressed by removing the default-java pod template for new installations. configmap/jenkins-agent remains in place, but by default is not used.

To run builds on Kubernetes, a pod template is required (although it does not need to be set as a default). This pod template can be defined in Operations Center, via a managed controller, or through the pipeline podTemplate step.

IMPACT: Existing pipelines that consist of only a node step, and which do not have a default pod template defined in the Operations Center, managed controller or pipeline podTemplate step, may not execute. Existing installations should otherwise be unaffected.


To use Windows containers with a given pod, delete the default-java pod template.

To fix existing pipelines that are affected as described in IMPACT, modify the pipeline to add a pod template. For pipelines on managed controllers that have a default pod template defined,

For example, node { <build happens here> } can be restated as podTemplate { node (POD_LABEL) { <build happens here>}}.

Pipelines with simple Linux commands can be wrapped in a podTemplate step and labeled with a POD_LABEL parameter. For example, podTemplate {node(POD_LABEL) {sh 'cat /etc/os-release'}}. For pipelines on managed controllers with a defined default pod template, only the addition of ('<default pod template label>') to the node step is required.

This affects installations using the Operations Center Kubernetes Cloud Plugin.

Remove unused plugins (CPLT2-6009)

CloudBees Core images (both for CloudBees Jenkins Operations Center and managed controllers) bundled a number of obsolete plugins that were of use only in the older CloudBees Jenkins Enterprise.

This has been addressed by removing obsolete plugins from the distribution and making sure obsolete plugins are not offered in new installations. Existing installations are unaffected.

Clean up agent image packaging (CPLT2-6028)

Clean up of agent image packaging.

Update Kubernetes plugin to 1.21.1 (CPLT2-6060)

The Kubernetes plugin has been updated to version 1.21.1. This update fixes a compatibility issue that would have prevented kube-agent-management from working.

pam-auth plugin fails when used in Docker container (CPLT2-5710)

Problem: pam-auth fails if used inside the Docker container.

This has been addressed by removing the plugin.

CloudBees Nodes Plus Plugin unrelated exception issue (CTR-761)

When the user set a 'blank' probe command for a node, an odd and unrelated exception was shown in the logs. With this fix, a blank command is treated as a command failure, and the cause is displayed in the node monitor and in the logs.

CloudBees RBAC Plugin XSS issue (CTR-735)

Stored XSS could have been submitted on group description, and anyone who checked the group description via tooltip would then trigger an XSS. With this fix, we now use MarkupFormatter to transform the content of the group’s description depending on what is configured in the Global Security section.

Operations Center Context Plugin XSS issue (CTR-760)

An XSS vulnerability was possible when an item with a malicious display name was shown in the Move/Copy/Promote browser bar. With this fix, user input is sanitized before adding it to the HTML source, preventing an XSS vulnerability.

Operations Center Agent Plugin ClassicConnector issue (CTR-410)

In some cases, when the connection between controller and OC failed, it was retried with a deprecated and insecure connector (ClassicConnector). With this fix, we have disabled ClassicConnector (by default), so it’s not used.

Jira Plugin upgrade (NGPIPELINE-743, NGPIPELINE-733)

The previously provided version of the Jira plugin, 3.0.9, bundled Jackson 1.x in its dependencies which made it vulnerable to CVE-2017-7525. The upgrade to Jira plugin version 3.0.10 excludes these Jackson libraries.

Known issues

Under certain circumstances, Jenkins may “hang” with the following conditions
  • The Jenkins java process is running in a waiting state.

  • Jenkins is effectively down.

  • Nothing is logged.

    Sometimes, after numerous restarts, the Jenkins service may start up again normally.

    The root cause for this issue is that the Jenkins service hangs immediately before it forks the child process that starts Jetty and Jenkins. Although the Java process is running, nothing is logged, because Jenkins has not yet started and is not yet listening on any port.

    NOTE: This issue affects a very small number of CloudBees customers. You only need to take action if you are directly affected by this issue: if you are not experiencing this issue, no action is necessary.

    A workaround is available in the CloudBees Support Knowledge Base article Jenkins intermittently fails to restart on RHEL 7 and CentOS 7.


Revision 2 (2019-11-21)

CloudBees Security Advisory 2019-11-21