CVE-2014-3566 "poodle" impact on Jenkins
Another day, another SSL vulnerability! Google has announced a vulnerability in SSL v3, and if you are using the "Winstone" servlet container built into Jenkins, and if you are using the HTTPS connector with the
--httpsPort option (it is off by default), then you are vulnerable to this problem.
The advisory includes the target delivery vehicles for the fix and how you can address the problem in the mean time. Inside corporate intranet, where Jenkins is typically used, I suppose there’s a degree of trust among participants to make this less of a problem. But if you run an internet facing Jenkins, be sure to deploy the fix.
(And as I write this, I’ve fixed all the
https://*.jenkins-ci.org servers to disable SSLv3, so we are covered there)