Disable Jenkins CLI

harsha_987 · February 20, 2024, 12:58pm

Jenkins setup: Jenkins version : 2.443

How can we disable Jenkins CLI without having to use the groovy script provided here .

jenkinsci-cert/SECURITY-3314-3315/blob/c03dab221a7359ef2d28e76b1e945145deb607bf/disable-cli.groovy

/*
The MIT License

Copyright (c) 2024, CloudBees, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

This file has been truncated. show original

When we use the script from above, we are seeing some errors which we want to avoid.

If there is any workaround please do share.

Thanks.

mawinter69 · February 20, 2024, 2:03pm

Jenkins 2.443 is not affected by the security vulnerability. So you can just remove the init.groovy script.

harsha_987 · February 20, 2024, 2:24pm

I could remove the init.groovy, but was hoping for any other way to disable jenkins cli.

mawinter69 · February 20, 2024, 4:04pm

You intend to disable the CLI permanently also the security issue is solved in the Jenkins version you’re using?

harsha_987 · February 21, 2024, 4:59am

Yes I want to disable the Jenkins CLI permanently.
Yes, I am using jenkins 2.443 which should not actually have any security issue.
We personally would like jenkins to only work through GUI or API , so we are trying to remove the Jenkins CLI which uses jenkins-cli.jar to trigger builds etc.

mawinter69 · February 21, 2024, 9:22am

I think the problem you have is this bug in Blue Ocean, which prevents that the script works.
So you could uninstall Blue Ocean and use pipeline-graph-view instead. Blue Ocean is anyway in maintenance mode (so no new features are added and only bigger bugs are fixed afaik).

harsha_987 · February 21, 2024, 12:38pm

Thanks for the suggestion, we will look into the plugin “pipeline-graph-view”. Looks like a good replacement.

Meanwhile I have tried below script in init.groovy to avoid errors:

def removal = { lst ->

lst.each { it -> if (it.getClass().name?.contains("CLIAction")) lst.remove(it) }

}

def j = jenkins.model.Jenkins.get();

removal(j.getExtensionList(hudson.cli.CLIAction.class))

//removal(j.getExtensionList(hudson.ExtensionPoint.class))

removal(j.getExtensionList(hudson.model.Action.class))

removal(j.getExtensionList(hudson.model.ModelObject.class))

removal(j.getExtensionList(hudson.model.RootAction.class))

removal(j.getExtensionList(hudson.model.UnprotectedRootAction.class))

//removal(j.getExtensionList(java.lang.Object.class))

removal(j.getExtensionList(org.kohsuke.stapler.StaplerProxy.class))

removal(j.actions)

Basically commenting the lines causing unnecessary errors.

Any insight on any issue that would come because of above commenting?

Topic		Replies	Views
How to disable Jenkins CLI Ask a question	0	586	February 20, 2024
Clarification Needed on Mitigating CLI Security Issue (SECURITY-3314/3315) with SSH Usage Ask a question question	0	334	February 2, 2024
Turn off access to the CLI Using Jenkins question	2	3351	February 2, 2024
Arbitrary file read vulnerability through the CLI can lead to RCE SECURITY-3314 / CVE-2024-23897 Ask a question	4	762	February 13, 2024
How do i remove specific permissions for a user in Jenkins using groovy script? Ask a question	4	1204	June 20, 2022

Disable Jenkins CLI

Related topics