Info on Jenkins CVE

mahammad-azeem · June 25, 2024, 5:07am

Hi Team,
We are currently running Jenkins LTS version 2.387.3 on azure windows vm.
The security team in our organization has raised below CVE to be addressed Jenkins Security Advisory 2023-10-18

We are not using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files.

Do we still need to plan upgrade to address these CVEs ?

Please confirm

Regards,
Azeem

poddingue · June 25, 2024, 8:30am

Hi Azeem,

Thank you for your inquiry about the CVE.

Here are my thoughts:

Regarding the specific CVE:
It’s not mandatory to upgrade your Jenkins version solely because of this CVE, as you’re not using the problematic argument.
General upgrade recommendation:
When running an LTS (Long-Term Support) version, it’s generally recommended to upgrade regularly to a more recent LTS version.
Your current version:
2.387.3 is more than one year old.
Suggestion:
Please consider upgrading to a more recent version, regardless of this specific CVE. Regular updates help maintain security and provide access to new features and improvements.

MarkEWaite · June 25, 2024, 11:15am

I agree with @poddingue on all the points that he made and would add more reasons that you should upgrade:

SECURITY-3314 - Critical vulnerability that allows attackers to read arbitrary files on the Jenkins controller file system in Jenkins versions prior to 2.426.3 LTS and 2.442 weekly
SECURITY-3386 - Medium vulnerability that allows machine-in-the-middle attacker to reduce the security of an SSH connection on the Jenkins command line interface
SECURITY-3261 - Medium vulnerability that allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered

The Jenkins advisories Google group is a mailing list that announces security advisories. Subscribe to that list and you will be notified of advisories.

sodul · June 25, 2024, 4:00pm

In my own experience staying up to date with the LTS releases and plugins is better because of the reasons mentioned above but also because you will benefit from newer features and bug fixes and have reduced compatibility issues compared to upgrading several versions at once.

You will run into issues once in a while but with a smaller delta they will be easier to fix and lower your downtime.

mahammad-azeem · July 5, 2024, 4:35am

Noted and thanks a lot for the responses @poddingue @MarkEWaite @sodul
appreciate it

Topic		Replies	Views
Jenkins CVE info Ask a question	2	82	August 15, 2024
Why does CVE-2024-22243 not apply to Jenkins? Ask a question	1	61	July 15, 2024
CVE-2024-23897 is vulnerable for jenkins 2.263.1 Using Jenkins question , jenkinsfile	3	465	February 1, 2024
CVE-2024-23898, CVE-2023-27899 and CVE-2023-43496 vulnerabilities on jenkins/jenkins:2.448-alpine-jdk17 Community question	7	520	March 13, 2024
Is Jenkins 2.440.3 impacted by CVE-2024-22262? Using Jenkins docker , sig-security	1	764	May 10, 2024

Info on Jenkins CVE

Related Topics