Recent Blog Posts

We just released security updates to Jenkins that fix a number of low and medium severity issues. For an overview of what was fixed, see the security advisory. One of the fixes may well break some of your use cases in Jenkins, at least until plugins have been adapted: SECURITY-170. This change removes parameters that are not defined on a job from the build environment. So, right now, a job could even be unparameterized, and plugins were able to pass parameters anyway. Since build parameters are added to the environment variables of scripts run during a build, parameters such as PATH or DYLD_LIBRARY_PATH can be defined — on jobs which don’t even expect those as build parameters — to change the behavior of builds. A number of plugins define additional parameters for builds. For example, GitHub Pull Request Builder passes a number of additional parameters describing the pull request. Release Plugin also allows adding several additional parameters to a build that are not considered to be defined in the job as part of this security fix. Please see this wiki page for a list of plugins known to be affected by this change. Until these plugins have been adapted to work with the new restriction (and advice on that is available further down), you can define the following system properties to work around this limitation, at least for a time: Set hudson.model.ParametersAction.keepUndefinedParameters to true, e.g. java -Dhudson.model.ParametersAction.keepUndefinedParameters=true -jar jenkins.war to revert to the old behavior of allowing any build parameters. Depending on your environment, this may be unsafe, as it opens you up to attacks as described above. Set hudson.model.ParametersAction.safeParameters to a comma-separated list of safe parameter names, e.g. java -Dhudson.model.ParametersAction.safeParameters=FOO,BAR_baz,quX -jar jenkins.war. I realize this change, among a few others that improve the security of Jenkins, may be difficult to adapt for some, but given the valuable secrets typically stored in Jenkins, I’m certain that this is the correct approach. We made sure to release this fix with the options described above, so that this change doesn’t block updating those that rely on this behavior. Developers have several options to adapt to this change: ParametersAction actually stores all parameters, but getParameters() only returns those that are defined on the job. The new method getAllParameters() returns all of them. This can be used, for example by EnvironmentContributor extensions, to add known safe parameters to build environments. Don’t pass extra arguments, but define a QueueAction for your metadata instead. Those can still be made available to the build environment as needed. Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security.

Last week, the infrastructure team identified the potential compromise of a key infrastructure machine. This compromise could have taken advantage of, what could be categorized as, an attempt to target contributors with elevated access. Unfortunately, when facing the uncertainty of a potential compromise, the safest option is to treat it as if it were an actual incident, and react accordingly. The machine in question had access to binaries published to our primary and secondary mirrors, and to contributor account information. Since this machine is not the source of truth for Jenkins binaries, we verified that the files distributed to Jenkins users: plugins, packages, etc, were not tampered with. We cannot, however, verify that contributor account information was not accessed or tampered with and, as a proactive measure, we are issuing a password reset for all contributor accounts. We have also spent significant effort migrating all key services off of the potentially compromised machine to (virtual) hardware so the machine can be re-imaged or decommissioned entirely. What you should do now If you have ever filed an issue in JIRA, edited a wiki page, released a plugin or otherwise created an account via the Jenkins website, you have a Jenkins community account. You should be receiving a password reset email shortly, but if you have re-used your Jenkins account password with other services we strongly encourage you to update your passwords with those other services. If you’re not already using one, we also encourage the use of a password manager for generating and managing service-specific passwords. The generated password sent out is temporary and will expire if you do not use it to update your account. Once it expires you will need recover your account with the password reset in the accounts app. This does not apply to your own Jenkins installation, or any account that you may use to log into it. If you do not have a Jenkins community account, there is no action you need to take. What we’re doing to prevent events like this in the future As stated above, the potentially compromised machine is being removed from our infrastructure. That helps address the immediate problem but doesn’t put guarantees in place for the future. To help prevent potential issues in the future we’re taking the following actions: Incorporating more security policy enforcement into our Puppet-driven infrastructure. Without a configuration management tool enforcing a given state for some legacy services, user error and manual mis-configurations can adversely affect project security. As of right now, all key services are managed by Puppet. Balkanizing our machine and permissions model more. The machine affected was literally the first independent (outside of Sun) piece of project infrastructure and like many legacy systems, it grew to host a multitude of services. We are rapidly evolving away from that model with increasing levels of user and host separation for project services. In a similar vein, we have also introduced a trusted zone in our infrastructure which is not routable on the public internet, where sensitive operations, such as generating update center information, can be managed and secured more effectively. We are performing an infrastructure permissions audit. Some portions of our infrastructure are 6+ years old and have had contributors come and go. Any inactive users with unnecessarily elevated permissions in the project infrastructure will have those permissions revoked. I would like to extend thanks, on behalf of the Jenkins project, to CloudBees for their help in funding and migrating this infrastructure. If you have further questions about the Jenkins project infrastructure, you can join us in the #jenkins-infra channel on Freenode or in an Infrastructure Q&A session I’ve scheduled for next Wednesday (April 27) at 20:00 UTC (12:00 PST).

The Script Security Plugin and the Extra Columns Plugin were updated today to fix medium-severity security vulnerabilities. For detailed information about the security content of these updates, see the security advisory. Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security.

We released Jenkins updates today that include important security fixes: 1.650 and 1.642.2. For detailed information about the security content of these updates, see the security advisory. Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security.