Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include 2.440.1 in list of releases with fix for 2024-01-24 core vulnerabilities #7036

Merged
merged 3 commits into from
Feb 21, 2024
Merged

Include 2.440.1 in list of releases with fix for 2024-01-24 core vulnerabilities #7036

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7da2e79
Include 2.440.1 in list of releases with fix for 2024-01-24 core vuln…
Kevin-CB Jan 24, 2024
d31a938
Do not add the date
Kevin-CB Jan 25, 2024
f84c6ac
Use singular
Kevin-CB Jan 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions content/security/advisory/2024-01-24.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ kind: core and plugins
core:
lts:
previous: 2.426.2
fixed: 2.426.3
fixed: 2.426.3 or 2.440.1
weekly:
previous: '2.441'
fixed: '2.442'
Expand Down Expand Up @@ -122,14 +122,14 @@ issues:
====

**Fix Description:** +
Jenkins 2.442, LTS 2.426.3 disables the command parser feature that replaces an `@` character followed by a file path in an argument with the file's contents for CLI commands.
Jenkins 2.442, LTS 2.426.3, and LTS 2.440.1 disables the command parser feature that replaces an `@` character followed by a file path in an argument with the file's contents for CLI commands.

In case of problems with this fix, disable this change by setting the link:/doc/book/managing/system-properties/#hudson-cli-clicommand-allowatsyntax[Java system property `hudson.cli.CLICommand.allowAtSyntax`] to `true`.
Doing this is strongly discouraged on any network accessible by users who are not Jenkins administrators.

**Workaround:** +
Disabling access to the CLI is expected to prevent exploitation completely.
Doing so is strongly recommended to administrators unable to immediately update to Jenkins 2.442, LTS 2.426.3.
Doing so is strongly recommended to administrators unable to immediately update to Jenkins 2.442, LTS 2.426.3 or LTS 2.440.1.
Applying this workaround does not require a Jenkins restart.
For instructions, see the link:https://github.com/jenkinsci-cert/SECURITY-3314-3315/[documentation for this workaround].

Expand Down Expand Up @@ -177,12 +177,12 @@ issues:
Attackers can execute the CLI commands that the victim's permissions allow using, up to and including Groovy scripting capabilities (`groovy` and `groovysh` commands) in case of a Jenkins administrator, resulting in arbitrary code execution.

**Fix Description:** +
Jenkins 2.442, LTS 2.426.3 performs origin validation of requests made through the CLI WebSocket endpoint.
Jenkins 2.442, LTS 2.426.3, and LTS 2.440.1 performs origin validation of requests made through the CLI WebSocket endpoint.

In case of problems with this fix, disable this change by setting the link:/doc/book/managing/system-properties/#hudson-cli-cliaction-allow_websocket[Java system property `hudson.cli.CLIAction.ALLOW_WEBSOCKET`] to `true`.

**Workaround:** +
Some workarounds are available to mitigate some or all of the impact if you are unable to immediately upgrade to Jenkins 2.442, LTS 2.426.3:
Some workarounds are available to mitigate some or all of the impact if you are unable to immediately upgrade to Jenkins 2.442, LTS 2.426.3 or LTS 2.440.1:

* **Disable CLI access** +
Disabling access to the CLI will prevent exploitation completely and is the **recommended workaround** for administrators unable to immediately update.
Expand Down
Loading