Winstone/Jetty vs Tomcat Vulnerability/fixes

Community
1

Hello Jenkins Community,

Good afternoon.

My name is John Dove.

I have some questions regarding running Jenkins on Microsoft Windows / Security Vulnerabilities.

I understand “bundled” Winstone/Jetty is the only container Fully Supported for running Jenkins.

I understand Tomcat is Not supported.

Please see my questions below, 1-2.

Thanks very much.

Thank you,

~ John

1

Where I work we have always hosted Jenkins inside of Tomcat.

Currently, we are planning the creation of a completely New Jenkins build system.

New Windows machines. New Jenkins. New Sonar. All great stuff…

This New Jenkins system will be used by a very large team of software developers.

This New Jenkins system will be a central build system for many people.

Question: should we even consider using Tomcat to run Jenkins ?

2

Due to “software vulnerabilities” now days (generally speaking at an industry level) I assume

using your “bundled” Winstone/Jetty is the correct action to take. If your “bundled” Winstone/Jetty

(inside the Jenkins WAR file) has a “security vulnerability” itself, then to fix that vulnerability,

we would just need to wait for your Jenkins team to release the next LTS version.

Your team will keep your “bundled” Winstone/Jetty up-to-date with any vulnerability fixes as needed.

Correct?

2

For large Jenkins systems I would recommend to run the controller on a Linux machine and not Windows. You should anyway offload the workload to agents for security reasons and those can be Windows or whatever you need.
Personally I would also look into containerizing Jenkins with an image that has baked in the plugins and parts of the configuration at least.
I think that Jenkins doesn’t support agents to connect via websockets when running on tomcat, but not sure if this is still valid. Websocket is now the preferred way for inbound agents to connect.
Yes, Jenkins will keep the bundled Jetty up-to-date. If a security issue is found in jetty that will be provided with the next LTS release.

3

Hi Markus,

Thanks for the ideas on Linux and the containers. Good to know.

>>> Yes, Jenkins will keep the bundled Jetty up-to-date.

>>> If a security issue is found in jetty that will be provided with the next LTS release.

Ok.

Great.

Thanks.

~ John