The Jenkins Blog

Wadeck Follonier

Wadeck is the Jenkins security officer, leading the security team in improving Jenkins security. He likes to provide solutions that are both useful and easy to use.

Jenkins September 2023 Newsletter

Key Takeaways JDK21 is around the corner Contributed by: Wadeck Follonier A plugin security advisory was published on September 6. Security Advisory 2023-09-06 This included multiple high score vulnerabilities in various plugins. A core security advisory was published on September 20. Security Advisory 2023-09-20 Multiple vulnerabilities were corrected in core. This advisory also included fixes for a plugin. Contributed by: Mark Waite Voter registration is now open for the 2023 Jenkins...

Damien DUPORTAL
Mark Waite
Bruno Verachten
Wadeck Follonier
Kevin Martens
Alyssa Tong October 12, 2023
Jenkins August 2023 Newsletter

Key Takeaways Jenkins project reports growth of 79% in Jenkins Pipeline, used to propel software delivery. Contributed by: Wadeck Follonier Andrea Chiera completed his 3 months internship within the Security team, auditing 100 plugins and finding 20+ vulnerabilities. Summer Internship in Jenkins security Thank you very much for your involvement and also to the team for mentoring him. A Plugin security advisory was published on August...

Damien DUPORTAL
Mark Waite
Bruno Verachten
Wadeck Follonier
Kevin Martens
Alyssa Tong September 21, 2023
Summer Internship in Jenkins security

Context Jenkins is an open-source CI/CD solution that is extensible with a wide range of plugins that can be installed using the Jenkins plugin distribution repository or via manual installation. This extensibility is a powerful feature of Jenkins, but it is a critical aspect that has to be secured to avoid risks and vulnerabilities that can impact the Jenkins system. The internship took...

Andrea Chiera
Kevin Guerroudj
Wadeck Follonier August 23, 2023
Jenkins July 2023 Newsletter

Key Takeaways A Jenkins Core security advisory was published on July 26 The official documentation has migrated to Java 17 Operating system end of life notifications have been added Contributed by: Wadeck Follonier During July, there were two Security Advisories published: Plugin security advisory published on July 12 Multiple high-score vulnerabilities A total of 16 plugins were affected Jenkins core and plugins security advisory published on July 26 The highest...

Damien DUPORTAL
Mark Waite
Bruno Verachten
Wadeck Follonier
Kevin Martens
Alyssa Tong August 2, 2023
Jenkins June 2023 Newsletter

Key Takeaways Red Hat Enterprise Linux 7, and derivatives like CentOS 7, reach early end of life. Upgrades and improvements of Jenkins components continue with significant progress towards the eventual removal of Prototype.js from Jenkins core. Thanks to a kind donation from Launchable, pull requests to Jenkins core now complete their evaluation builds in 2 hours rather than the 6 hours that were...

Damien DUPORTAL
Mark Waite
Bruno Verachten
Wadeck Follonier
Kevin Martens July 10, 2023
Jenkins May 2023 Newsletter

Key Takeaways Jenkins plugin updates released to fix security vulnerabilities, advisory published on May 16. JDK8 support has been dropped in favor of JDK11 as the default for running Jenkins agents. Ssh-agent release 5.0.0 introduces breaking changes. Contributed by: Wadeck Follonier A Security Policy was added for the Docker images of the project. Due to multiple reports about CVEs present in the Docker images the project...

Alyssa Tong
Damien DUPORTAL
Mark Waite
Bruno Verachten
Wadeck Follonier June 20, 2023
Jenkins April 2023 Newsletter

Key Takeaways There was one security advisory this month announcing vulnerabilities regarding Jenkins plugins. Cloud Cost Controls with improved resource cleanups and VM usage optimization to face the increased rate of builds on ci.jenkins.io. Thanks to DigitalOcean for their continued support and ($8,400 credit) sponsorship of Jenkins. Ppc64le docker agent images are now available. Jenkins at cdCon + GitOpsCon! Contributed by: Wadeck Follonier In April, there was...

Alyssa Tong
Damien DUPORTAL
Kevin Martens
Mark Waite
Bruno Verachten
Wadeck Follonier May 10, 2023
Spring Framework RCE, CVE-2022-22965

A remote code execution vulnerability has been identified in the Spring Framework. This vulnerability is identified as CVE-2022-22965. Spring officially reacted early in an early announcement. SpringShell in Jenkins Core and Plugins The Jenkins security team has confirmed that the Spring vulnerability is not affecting Jenkins Core. There is no impact because we are using Stapler as a servlet, and neither Spring MVC nor Spring...

Wadeck Follonier
Damien DUPORTAL
Mark Waite March 31, 2022
Apache Log4j 2 vulnerability CVE-2021-44228

A critical security vulnerability has been identified in the popular "Apache Log4j 2" library. This vulnerability is identified as CVE-2021-44228. Log4j in Jenkins The Jenkins security team has confirmed that Log4j is not used in Jenkins core. Jenkins plugins may be using Log4j. You can identify whether Log4j is included with any plugin by running the following Groovy script in the Script Console: org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource If this results...

Wadeck Follonier
Daniel Beck
Hervé Le Meur
Mark Waite December 10, 2021