- Security vulnerability in the SAML plugin (CVE-2021-21678)
CloudBees researchers discovered a vulnerability in the SAML plugin that could allow an attacker to execute code on the Jenkins instance. This vulnerability is present in all versions of the supported product. Even if you do not use the SAML plugin, you are vulnerable if it is enabled in your environment.
CloudBees recommends that you review the following knowledge base article and perform the documented mitigation steps as soon as possible to ensure that you are protected from this vulnerability. The mitigation does not require a restart or upgrade, and it will not disrupt your production workload. It provides full protection. Then, once you have completed the mitigation steps, you can plan for and test an upgrade to a version that contains the fix.
CloudBees recommends that you upgrade to the August 2021 release of Jenkins LTS as soon as possible. The August 2021 release includes a change that removes the Apache Commons Digester from Jenkins Core. If you use Jenkins plugins that are not in the CloudBees Assurance Program (CAP), you should update them before upgrading your CloudBees products to ensure compatibility with the August release. If your company uses its own proprietary (non-CloudBees) plugins, CloudBees recommends that you test them against Jenkins version 2.302+ prior to the August release. As always, backing up your data before upgrading is strongly encouraged. For details about this change and a list of impacted plugins, please refer to our knowledge base article Commons Digester Library Removal.