Query Regarding SECURITY-3314/SECURITY-3315

Gaurav7 · February 22, 2024, 8:55am

Jenkins setup:
Jenkins: 1.656
OS: Windows NT (unknown) - 10.0
Java: 1.8.0_66 - Oracle Corporation

I have one query,
Will this vulnerability SECURITY-3314/SECURITY-3315, will affect the Jenkins if CLI is not being used?

Also, the mitigation shared on git, is not working for us, any reason for this? if this is due to the difference in the JDK, can the script be modified for the version we are using?
GitHub - jenkinsci-cert/SECURITY-3314-3315: Workaround for disabling the CLI to mitigate SECURITY-3314/CVE-2024-23897 and SECURITY-3315/CVE-2024-23898

any help in this regards will really help us.
Thank you in advance

mawinter69 · February 22, 2024, 9:39am

I would be more concerned about the 8 year old Jenkins 1.656 version than about that particular vulnerability. There are probably other critical vulnerabilities in the version you use. Just go over the list of advisories Security Advisories.
The script to disable the CLI is definitely written in mind for current Jenkins versions not older than maybe 1 or 2 years.

Gaurav7 · February 29, 2024, 2:38pm

Hello @mawinter69,

Thanks for your response, yes we are planning to upgrade.
We have never done this before, can you please suggest what documents we should follow to upgrade the existing version to latest one?

Topic		Replies	Views
CVE-2024-23897 is vulnerable for jenkins 2.263.1 Using Jenkins question , jenkinsfile	3	256	February 1, 2024
Arbitrary file read vulnerability through the CLI can lead to RCE SECURITY-3314 / CVE-2024-23897 Ask a question	4	457	February 13, 2024
Is Jenkins vulnerable to the log4j CVE-2021-44228 Ask a question	3	5891	December 10, 2021
Jenkins SSL Configuration Ask a question question	5	485	January 6, 2023
Is Jenkins@2.332.2 and Jenkins@2.332.3 supported/patched? Using Jenkins	1	435	December 1, 2022

Query Regarding SECURITY-3314/SECURITY-3315

Related Topics