Addressing recently disclosed vulnerabilities in the Jenkins CLI

The Jenkins security team has been made aware of a new attack vector for a remote code execution vulnerability in the Jenkins CLI, according to this advisory by Daniel Beck:

We have since been able to confirm the vulnerability and strongly recommend that everyone follow the instructions in the linked repository.

As Daniel mentions in the security advisory, the advised mitigation strategy is to disable the CLI subsystem via this Groovy script. If you are a Jenkins administrator, navigate to the 'Manage Jenkins' page and click on the 'Script Console', which will allow you to run the Groovy script to immediately disable the CLI.

In order to persist this change across restarts of your Jenkins controller, place the Groovy script in $JENKINS_HOME/init.groovy.d/cli-shutdown.groovy so that Jenkins executes the script on each boot.

We are expecting to have a fix implemented, tested and included in an updated weekly and LTS release this upcoming Wednesday, November 16th.

For users who are operating Jenkins on public, or otherwise hostile, networks, we suggest hosting Jenkins behind reverse proxies such as Apache or Nginx. These can help provide an additional layer of security, when used appropriately, to cordon off certain URLs such as /cli.

Additionally, we strongly recommend that all Jenkins administrators subscribe to the jenkinsci-advisories@googlegroups.com mailing list to receive future advisories.

The Jenkins project has a responsible disclosure policy, which we strongly encourage anybody who believes they have discovered a potential vulnerability to follow. You can learn more about this policy and our processes on our security page.