Query Regarding SECURITY-3314/SECURITY-3315

Gaurav7 · February 22, 2024, 8:55am

Jenkins setup:
Jenkins: 1.656
OS: Windows NT (unknown) - 10.0
Java: 1.8.0_66 - Oracle Corporation

I have one query,
Will this vulnerability SECURITY-3314/SECURITY-3315, will affect the Jenkins if CLI is not being used?

Also, the mitigation shared on git, is not working for us, any reason for this? if this is due to the difference in the JDK, can the script be modified for the version we are using?
GitHub - jenkinsci-cert/SECURITY-3314-3315: Workaround for disabling the CLI to mitigate SECURITY-3314/CVE-2024-23897 and SECURITY-3315/CVE-2024-23898

any help in this regards will really help us.
Thank you in advance

mawinter69 · February 22, 2024, 9:39am

I would be more concerned about the 8 year old Jenkins 1.656 version than about that particular vulnerability. There are probably other critical vulnerabilities in the version you use. Just go over the list of advisories Security Advisories.
The script to disable the CLI is definitely written in mind for current Jenkins versions not older than maybe 1 or 2 years.

Gaurav7 · February 29, 2024, 2:38pm

Hello @mawinter69,

Thanks for your response, yes we are planning to upgrade.
We have never done this before, can you please suggest what documents we should follow to upgrade the existing version to latest one?

Topic		Replies	Views
Clarification Needed on Mitigating CLI Security Issue (SECURITY-3314/3315) with SSH Usage Ask a question question	0	334	February 2, 2024
How to disable Jenkins CLI Ask a question	0	586	February 20, 2024
CVE-2024-23897 is vulnerable for jenkins 2.263.1 Using Jenkins question , jenkinsfile	3	494	February 1, 2024
Info on Jenkins CVE Community	4	92	July 5, 2024
About recent CVE Issue Ask a question	2	16	October 18, 2024

Query Regarding SECURITY-3314/SECURITY-3315

Related topics