Important security updates for Jenkins core

Daniel Beck April 26, 2017

We just released security updates to Jenkins, versions 2.57 and 2.46.2, that fix several security vulnerabilities, including a critical one.

That critical vulnerability is an unauthenticated remote code execution via the remoting-based CLI. When I announced the fix for the previous vulnerability of this kind, I announced our plans to revisit the design of the CLI that enabled this class of vulnerabilities.

Since Jenkins 2.54, we now have a new CLI implementation that isn’t based on remoting, and deprecated its remoting mode. Despite it being a major feature, we decided to backport it to 2.46.2, so LTS users can also disable the unsafe remoting mode while retaining almost all of the CLI’s existing functionality.

For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS upgrade guide. I recommend you read these documents, especially if you’re using the CLI with Jenkins LTS, as there are possible side effects of these fixes.

Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security.

About the author

Daniel Beck

Daniel is a Jenkins core maintainer and member of the Jenkins security team. He was the inaugural Jenkins security officer from 2015 to 2021. He sometimes contributes to developer documentation and project infrastructure in his spare time.