A bug was introduced in Jenkins versions 1.645 and 1.642.2 which caused Jenkins to send anonymous usage statistics, even if the administrator opted-out of reporting usage data in the Jenkins web UI.

If you are running one of the affected versions, the best/easiest solution is to upgrade. The bug does not affect Jenkins 1.653 or newer, or Jenkins LTS 1.642.4 or newer.

If you cannot upgrade, it is possible to immediately disable submission of usage statistics by running the following script in "Manage Jenkins » Script Console":

    hudson.model.UsageStatistics.DISABLED = true

This will immediately disable usage data submission until you restart Jenkins. To make this permanent, change your Jenkins startup script so it passes a system property to the java process:

    java -Dhudson.model.UsageStatistics.disabled=true -jar …/jenkins.war

For information how to do this when using one of the installers/packages, see the installer/package documentation here.

To verify that usage stats submission is disabled, run the following script in "Manage Jenkins » Script Console" and confirm the result is true:

    println hudson.model.UsageStatistics.DISABLED

We have much more information about the issue and our usage statistics process in our wiki.

While we do not consider this a security advisory, if you are a Jenkins administrator we highly recommend subscribing to our jenkinsci-advisories@ mailing list.
About the Author
Daniel Beck

Daniel is a Jenkins core maintainer and, as security officer, leads the Jenkins security team. He sometimes contributes to developer documentation and project infrastructure.