Upgrading Jenkins from LTS 2.387.3 to LTS 2.426.3

Using Jenkins Ask a question
1

Hi Team,
We are currently using Jenkins LTS 2.387.3 hosted on Azure vm.
In order to mitigate the Jenkins CVE 2024-23897, we are planning to upgrade our current Jenkins application to LTS 2.426.3.

As part of this i went through the upgrade guides and java requirements indicated in official jenkins.io documentation and came up with below outcome

Jenkins upgrade from LTS 2.387.3 to LTS 2.426.3

Step 1.
Upgrading from Jenkins LTS 2.387.3 to Jenkins LTS 2.401.x
No noteworthy changes to apply

Step 2.
Upgrading from Jenkins LTS 2.401.X to Jenkins LTS 2.414.x
Plugins related update
Categorized view version 1.13 or newer
Build Monitor View version 1.14-745.ve2023a_305f40 or newer

Step 3.
Upgrading from Jenkins LTS 2.414.x to Jenkins LTS 2.426.x
Java 21 support, Java 11/17 is still supported

Here are my few queries regarding this outcome.

  1. We are not using the plugins indicated in Step 2, but do we still need to consider upgrading these plugins ?
  2. We are currently, using remoting version 3107.v665000b_51092 (JNLP launcher, websocket communication protocol for jenkins agent/windows server)
    As indicated in Step 3, minimum required remoting version is 4.13,
    i assume that remoting version is nothing but the agent.jar that can be downloaded when configure jenkins node.

Currently, our windows server has a task scheduler that runs a .bat script to connect to jenkins controller, which has a curl command to download the agent.jar file.

So, the above curl command will automatically download and reference the latest agent.jar supporting remoting version 4.13 right ?
or do i still need to download the new agent.jar after the upgrade and replace in the jenkins agent path while connecting this agent to jenkins controller ?

  1. Apart from the above indicated i dont see any significant impact or changes to be cautious of before directly upgrading from LTS 2.387.3 to LTS 2.426.3. So, if my assesment is correct can i go ahead and upgrade directly to upgrade my current jenkins version LTS 2.387.3 to LTS 2.426.3 ?

Let me know if i have missed anything or to take note.

Really appreciate your honest feedback.

Regards,
Azeem

2

Correct. You can directly go to 2.426.3. But you could also directly go to the latest LTS 2.440.3
If you don’t use the mentioned plugins (i.e. you don’t have them installed), then there is also no need to update them. Anyway I would recommend to update all plugins during your upgrade process. First update all plugins while still on 2.387.3, then update Jenkins and afterwards update all plugins once more.

When you download the agent.jar with curl from the controller you ensure to always use the a version that is compatible with your Jenkins. The way you do it I would consider the best way you can do when using inbound agents. Just consider that the arguments have changed with Jenkins 2.440.1, the old syntax still works but is deprecated now (see Upgrading to Jenkins LTS 2.440.x)

3

Hi @mawinter69
Thanks a lot and Appreciate your quick response.

Just to confirm the LTS 2.440.3 will have the fix for CVE-2024-23897 right ?
I mean it must be , but still just want to confirm.

(and noted on the arguments to update while connecting agent to jenkins controller)

Regards,
Azeem

4

yes 2.440.3 contains the fix

5

Hi @mawinter69
Thank you for the quick response again.
Just to add one last item.

Does Jenkins LTS 2.440.3 has fix to below CVEs as well ?
SECURITY-3291 / CVE-2023-36478, CVE-2023-44487

Regards,
Azeem

6

yes, generally you can assume that the latest LTS version doesn’t contain any known vulnerabilities.

7

got it
thanks a lot @mawinter69
Appreciate your quick respones