Looking for stable images for both jenkins/jenkins and jenkins/inbound-agent

Using Jenkins Ask a question
1

Hi,

I’m planning to upgrade my jenkins but got some vulnerabilites captured in our ECR scan result. And we using both these images at the moment as we hosted as controller, agent architecture.Does any have any suggestion which image tags can be with zero “High” and “Critical” for alpine.

we using below base image:
controller image: jenkins/jenkins:lts-alpine-jdk17
agent image: jenkins/inbound-agent:latest-alpine-jdk17

Note: I have tried jdk21 but reported couple of vulnerables.

Thanks,
Ram

2

Hello and welcome to this community, @rama.gurram. :waving_hand:

It looks like the first Alpine image you cited hasn’t been updated in 22 days. :thinking:
I would go with a more detailed tag like jenkins/jenkins:alpine3.21-jdk21 which has been updated 2 days ago.
As for the inbound agent, the tag you chose has been updated yesterday, but I would go with jenkins/inbound-agent:latest-alpine3.21-jdk21 nonetheless, as we have chosen a controller running with JDK 21. :person_shrugging:

Regarding the CVE, are they directly linked to Jenkins, or to Alpine?
If it’s for Jenkins, then double-check our latest security advisory.
To me, upgrading to our latest versions should solve your problems.

And often, CVEs detected by scanners are unexploitable within Jenkins.

3

I think OP wants LTS, except only the good parts, like stability, but not the bad parts, which is that it’s not updated as frequently and as quickly.

Going with the weekly line would indeed solve the problem here.

1 Like
4

thanks for the suggestion @poddingue i have tried testing below image but image scan results captured below CVE’s. Any idea.. are these not having any fixes?
Base Image: jenkins/jenkins:alpine3.21-jdk21

Vulnerabilities:
[CVE-2025-21587] - High
[CVE-2025-30698] - Medium
[CVE-2020-36843] - Medium
[CVE-2025-30691] - Medium

My Dockerfile and all plugins are updated with latest version:

FROM jenkins/jenkins:alpine3.21-jdk21
USER root
RUN mkdir /etc/secrets \
    && mkdir /etc/jcasc
RUN chown jenkins:jenkins /etc/secrets \
    && chown jenkins:jenkins /etc/jcasc
RUN apk --no-cache add \
    curl \
    libtasn1 \
    bash \
    musl \
    && apk upgrade --no-cache

USER jenkins
COPY --chown=jenkins:jenkins plugins.txt /usr/share/jenkins/ref/plugins.txt
RUN jenkins-plugin-cli -f /usr/share/jenkins/ref/plugins.txt

Thanks,
Ram

1 Like
5

CVE-2025-21587 is supposed to have been solved by this commit for Java 17 but not by this commit for Java 21, as the 21.0.6 version is affected.

What is the output of java --version?

Mine is:

docker run -it jenkins/jenkins:alpine3.21-jdk21 /bin/ash
/ $ java --version
openjdk 21.0.6 2025-01-21 LTS
OpenJDK Runtime Environment Temurin-21.0.6+7 (build 21.0.6+7-LTS)
OpenJDK 64-Bit Server VM Temurin-21.0.6+7 (build 21.0.6+7-LTS, mixed mode)

So… This time, we may be better staying with the JDK17 variant… except that…

docker run -it jenkins/jenkins:alpine3.21-jdk17 /bin/ash

/ $ java --version
openjdk 17.0.14 2025-01-21
OpenJDK Runtime Environment Temurin-17.0.14+7 (build 17.0.14+7)
OpenJDK 64-Bit Server VM Temurin-17.0.14+7 (build 17.0.14+7, mixed mode)
/ $

But the agent is ok:

docker run --rm --entrypoint=bash jenkins/ssh-agent:jdk17 -c 'java -version'
openjdk version "17.0.15" 2025-04-15
OpenJDK Runtime Environment Temurin-17.0.15+6 (build 17.0.15+6)
OpenJDK 64-Bit Server VM Temurin-17.0.15+6 (build 17.0.15+6, mixed mode)

Now, I get it.
The update of the JDK version for the controller only happened yesterday.
You should then see the CVE warning disappear after next week’s release.
Lucky you, there should be a LTS release next week.

6

Thanks @poddingue , we have a plan to release the latest version to production as we tested in test environment but now we can’t deploy this version as this package is effected with vulnerables in recent ECR scans. Also, i have seen a notification in our test environment says JDK17 support is going to end in starting of next year. So, we decided to use upgrade JDK version along with latest jenkins version, Can we expect jenkins/jenkins:alpine3.21-jdk21 is going to get LTS release in next week by fixing above vulnerabilities?

Thanks,
Ram

7

That’s not my understanding.
We depend on Temurin JDK, and they depend on the patches delivered upstream.
As stated by Oracle, critical Patch Updates are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 15 July 2025
  • 21 October 2025
  • 20 January 2026
  • 21 April 2026

Does it mean we’ll have to wait until mid-July 2025 to get a patch for JDK 21?
I hope I misunderstood.

8

At least for openjdk the patches are released: Timing Attack in openjdk-jre | CVE-2025-21587 | Snyk

and temurin is in progress

and

9

The temurin 21 images have been published yesterday:
https://hub.docker.com/layers/library/eclipse-temurin/21-jre/images/sha256-b8a08e2c1b08335e1d69dd78ad81f42a24f3e6f9ba92da1d1e3bfc7b9b61b5c2

10

The updatecli GA will kick in on next Monday.
If all the platforms we are targeting are available by then, the weekly and LTS images should be rebuilt just in time for the release. :crossed_fingers:

11

Thanks @bpedersen2 @poddingue, thanks for sharing the details. So, we can expect the latest lts version in starting of next week that could fix the flagged vulnerabilities with the image jenkins/jenkins:lts-alpine-jdk21 ?
Would like to know if that is the case.. then we can hold off our release until then.. instead going with lts-alpine-jdk17 again that could lead back to back upgrades with production as jdk17 support going to end soon. Hope you got my point :slight_smile:

Thanks,
Ram

12

That’s my understanding, if all stars align… for the CVE-2025-21587 at least. :person_shrugging:
The 21.0.7 binaries are available for all our platforms, the update of the controller and of the agent went fine, so we should get the LTS release on the 30th with this Java version.

Please take a look at the proposed changelog to see if there is something that could be an issue for you.