CloudBees Jenkins Platform 2.164.33.0.1

RELEASED: 2020-01-29

Based on Jenkins LTS2.164.33-cb-1

Fixed release

Security advisory

Security advisory

XXE vulnerability in WebSphere Deployer Plugin

SECURITY-1719 / CVE-2020-2108

WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin.

As of publication of this advisory, there is no fix.

Security fixes

  • Attackers with Overall/Read, Agent/Secure, and Job/Read can associate any folder they can Job/Read with any agent they can Agent/Secure via CSRF when using the CloudBees Folders Plus Plugin (FNDJEN-1781)

    To fix this issue, the use of the crumb issuer has been enforced in some methods and the web page with the authorized agents has been restricted.

    This only affects installations that use the CloudBees Folders Plus Plugin.

  • Cloud connection test implementations allow users with Jenkins.READ permission to steal credentials (FNDJEN-1851)

    Access is now protected with RequierePOST annotations and new check for permissions.

  • CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin

    Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

    Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

    Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

    This only affects installations that use the Health Advisor by CloudBees Plugin.

New features

  • Specifying a matrix of one or more dimensions (NGPIPELINE-378)

    The Declarative Pipeline Matrix directive allows users to execute a set of one or more Pipeline stages multiple times-once for every combination defined in the matrix. Matrix combinations are generated from static lists of predefined values. Filters can also be provided to exclude specific combinations.

Feature enhancements

None

Resolved issues

  • ATH failure in Gradle plugin (FNDJEN-1532)

    Updated to version 1.35 of Gradle plugin to fix the failure as well as improve pipeline support.

  • Connection to S3 for backup with HTTP only (no SSL) not working (CTR-1030)

    This only affects installations that use the CloudBees Backup Plugin.

    When overriding an S3 endpoint with a custom endpoint that used the HTTP protocol only, the URL was prefixed by "https://" and ended with an SSL error. With this fix, when an endpoint has only the HTTP protocol set and HTTPS is not present, then the URL begins with "http://".

  • Update pipeline-build-step to 2.10 and workflow-cps to 2.78 (NGPIPELINE-878)

    This only affects installations that use the Pipeline: Build Step and Pipeline: Groovy plugins.

    When the build step failed because the downstream build failed, it always reported failure, instead of the actual result of the downstream build. With this fix, the build step now reports the actual result of the downstream build when using the propagate option.

Known issues

None

Upgrade notes

End of life announcement

After assessing the viability of our supported plugins, CloudBees will no longer support the CloudBees VMware Pool Autoscaling Plugin after April 30, 2020.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.