Wadeck is the Jenkins security officer, leading the security team in improving Jenkins security.
He likes to provide solutions that are both useful and easy to use.
A remote code execution vulnerability has been identified in the Spring Framework.
This vulnerability is identified as CVE-2022-22965.
Spring officially reacted early in an early announcement.
SpringShell in Jenkins Core and Plugins
The Jenkins security team has confirmed that the Spring vulnerability is not affecting Jenkins Core.
There is no impact because we are using Stapler as a servlet, and neither Spring MVC nor Spring WebFlux.
An analysis was done...
A critical security vulnerability has been identified in the popular "Apache Log4j 2" library.
This vulnerability is identified as CVE-2021-44228.
Log4j in Jenkins
The Jenkins security team has confirmed that Log4j is not used in Jenkins core.
Jenkins plugins may be using Log4j.
You can identify whether Log4j is included with any plugin by running the following Groovy script in the Script Console:
If this results in the following error,...
This is a speaker blogpost for a DevOps World | Jenkins World 2019 talk in Lisbon, Portugal
Come join us at DevOps World | Jenkins World 2019 for "Thinking about Jenkins Security", a talk about securing your Jenkins server.
We’ll review the layers that secure Jenkins and describe techniques that you can use to protect your Jenkins server.
Topics will include:
The secure by default configuration that Jenkins...
About API tokens
Jenkins API tokens are an authentication mechanism that allows a tool (script, application, etc.) to impersonate a user
without providing the actual password for use with the Jenkins API or CLI.
This is especially useful when your security realm is based on a central directory, like Active Directory or LDAP,
and you don’t want to store your password in scripts.
Recent versions of Jenkins also make...