Hi Team,
We are currently running Jenkins LTS version 2.387.3 on azure windows vm.
The security team in our organization has raised below CVE to be addressed Jenkins Security Advisory 2023-10-18
We are not using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files.
Do we still need to plan upgrade to address these CVEs ?
Regarding the specific CVE:
It’s not mandatory to upgrade your Jenkins version solely because of this CVE, as you’re not using the problematic argument.
General upgrade recommendation:
When running an LTS (Long-Term Support) version, it’s generally recommended to upgrade regularly to a more recent LTS version.
Your current version: 2.387.3 is more than one year old.
Suggestion:
Please consider upgrading to a more recent version, regardless of this specific CVE. Regular updates help maintain security and provide access to new features and improvements.
I agree with @poddingue on all the points that he made and would add more reasons that you should upgrade:
SECURITY-3314 - Critical vulnerability that allows attackers to read arbitrary files on the Jenkins controller file system in Jenkins versions prior to 2.426.3 LTS and 2.442 weekly
SECURITY-3386 - Medium vulnerability that allows machine-in-the-middle attacker to reduce the security of an SSH connection on the Jenkins command line interface
SECURITY-3261 - Medium vulnerability that allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered
The Jenkins advisories Google group is a mailing list that announces security advisories. Subscribe to that list and you will be notified of advisories.
In my own experience staying up to date with the LTS releases and plugins is better because of the reasons mentioned above but also because you will benefit from newer features and bug fixes and have reduced compatibility issues compared to upgrading several versions at once.
You will run into issues once in a while but with a smaller delta they will be easier to fix and lower your downtime.