We are using Jenkins in our environment [Jenkins 2.401.1] and we are ran vulnerability scan using Anchore container scanning tool and found few vulnerabilities on Jenkins image. Please let us know how these vulnerabilities can be resolved or addressed as part of our monthly ConMon process.
Jenkins setup: We are running Jenkins in EKS cluster and using version 2.401.1 and using the docker image “jenkins/jenkins:lts-alpine”
We also scanned Jenkins image version 2.401.3 and this version also has same amount of vulnerabilities. We are looking for a response for all the HIGH and Medium findings.
Here are the list of vulnerabilities.
HIGH Findings
CVE-2022-40152 - /usr/share/jenkins/jenkins.war:WEB-INF/detached-plugins/jackson2-api.hpi:WEB-INF/lib/woodstox-core-6.3.1.jar
CVE-2022-25647 - /usr/share/jenkins/jenkins.war:WEB-INF/detached-plugins/trilead-api.hpi:WEB-INF/lib/gson-2.8.6.jar
CVE-2023-2976 - /usr/share/jenkins/jenkins.war:WEB-INF/lib/guava-31.1-jre.jar
CVE-2023-36632 - Alpine Package (python3-3.11.4-r0)
Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we inform maintainers about the need to update their dependencies, and may track progress in the SECURITY Jira project, no security advisory will be published for these.
In details, the findings in /usr/share/jenkins/jenkins.war need to be checked carefully and reported as per the linked process if there is a demonstrable exploit
Thanks for the response @dduportal. All the vulnerabilities exists on the lts apline image. we can check on alpine package vulnerability and try to upgrade, however most of the vulnerabilities exists on jenkins.war. Wanted to understand how these can be addresssed.
I have created a security ticket. Please let me know if you need additional information.
They aren’t addressed as security vulnerabilities because they are not security vulnerabilities unless there is a demonstrable exploit.
Jenkins dependencies are regularly upgraded because we like to keep the dependencies current.
I’m perplexed why the scanner would identify python3-3.11.4-r0 as a vulnerability, since Jenkins does not include the Python APK in the Alpine image. There is no python executable in the Alpine container provided by the Jenkins project. There are no Python packages in the Alpine image. Maybe you’re testing a custom container image that you built and somehow decided that you should include Python in your custom container image?
@MarkEWaite Thanks for the response. You can exclude Python3 as we are installing on jenkins lts-alpine base image. We are using LTS release and these vulnerabilities are found on LTS Jenkins release. Wanted to understand how/when these will be resolved on LTS release. I understand that some of them are fixed on weekly release but looking for a timeline or release number when these will be fixed on LTS version.
Here are the list of vulnerabilities on jenkins.war
CVE-2022-40152 High java /usr/share/jenkins/jenkins.war:WEB-INF/detached-plugins/jackson2-api.hpi:WEB-INF/lib/woodstox-core-6.3.1.jar woodstox-core-6.3.1
CVE-2022-25647 High java /usr/share/jenkins/jenkins.war:WEB-INF/detached-plugins/trilead-api.hpi:WEB-INF/lib/gson-2.8.6.jar gson-2.8.6
CVE-2023-2976 High java /usr/share/jenkins/jenkins.war:WEB-INF/lib/guava-31.1-jre.jar guava-31.1-jre
CVE-2023-35116 Medium java /usr/share/jenkins/ref/plugins/jackson2-api.jpi:WEB-INF/lib/jackson-databind-2.15.2.jar jackson-databind-2.15.2
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-io jetty-io-10.0.13
CVE-2010-3700 Medium java /usr/share/jenkins/ref/plugins/reverse-proxy-auth-plugin.jpi:WEB-INF/lib/acegi-security-1.0.7.jar acegi-security-1.0.7
CVE-2023-35116 Medium java /usr/share/jenkins/ref/plugins/cisco-spark-notifier.jpi:WEB-INF/lib/jackson-databind-2.13.4.2.jar jackson-databind-2.13.4.2
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-server jetty-server-10.0.13
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-xml jetty-xml-10.0.13
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-security jetty-security-10.0.13
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-alpn-server jetty-alpn-server-10.0.13
CVE-2023-35116 Medium java /usr/share/jenkins/jenkins.war:WEB-INF/detached-plugins/jackson2-api.hpi:WEB-INF/lib/jackson-databind-2.13.4.2.jar jackson-databind-2.13.4.2
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-webapp jetty-webapp-10.0.13
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-http jetty-http-10.0.13
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-xml jetty-xml-10.0.13
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-io jetty-io-10.0.13
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-alpn-java-server jetty-alpn-java-server-10.0.13
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-server jetty-server-10.0.13
CVE-2023-35116 Medium java /opt/jenkins-plugin-manager.jar:jackson-databind jackson-databind-2.14.2
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-security jetty-security-10.0.13
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-servlet jetty-servlet-10.0.13
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-alpn-server jetty-alpn-server-10.0.13
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-jmx jetty-jmx-10.0.13
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-servlet jetty-servlet-10.0.13
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-http jetty-http-10.0.13
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-webapp jetty-webapp-10.0.13
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-alpn-java-server jetty-alpn-java-server-10.0.13
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-util jetty-util-10.0.13
CVE-2023-26049 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-jmx jetty-jmx-10.0.13
CVE-2023-26048 Medium java /usr/share/jenkins/jenkins.war:executable/winstone.jar:jetty-util jetty-util-10.0.13
Please let me know if you need additional information.
There are some key misperceptions in your comments. I’ll try to clarify those misperceptions and explain why the Jenkins contributors like me do not answer these types of requests.
This is your first misperception. There are not vulnerabilities unless you have a demonstrable exploit. You’ve not mentioned a demonstrable exploit, so I continue with the assumption that you are incorrectly labeling something as a vulnerability that is not a vulnerability.
The first misperception (incorrectly claiming that older dependencies are vulnerabilities) changes the framing of this request. I think you want to understand when the dependencies that you listed will be updated in a Jenkins LTS release to a newer version of the dependency.
You are welcome to do that research yourself so that you can identify the history of those dependencies from the source code of Jenkins core. You’ll find the details of each dependency update in the history of the primary development branch. The details of each dependency update for the next LTS release are in the stable-2.414 branch.
Jenkins contributors won’t do that research for you. If your organization requires that research, you’ll need to do that research yourself.
