Wadeck Follonier
Wadeck is the Jenkins security officer, leading the security team in improving Jenkins security. He likes to provide solutions that are both useful and easy to use.
Key Takeaways Red Hat Enterprise Linux 7, and derivatives like CentOS 7, reach early end of life. Upgrades and improvements of Jenkins components continue with significant progress towards the eventual removal of Prototype.js from Jenkins core. Thanks to a kind donation from Launchable, pull requests to Jenkins core now complete their evaluation builds in 2 hours rather than the 6 hours that were...
Key Takeaways Jenkins plugin updates released to fix security vulnerabilities, advisory published on May 16. JDK8 support has been dropped in favor of JDK11 as the default for running Jenkins agents. Ssh-agent release 5.0.0 introduces breaking changes. Contributed by: Wadeck Follonier A Security Policy was added for the Docker images of the project. Due to multiple reports about CVEs present in the Docker images the project...
Key Takeaways There was one security advisory this month announcing vulnerabilities regarding Jenkins plugins. Cloud Cost Controls with improved resource cleanups and VM usage optimization to face the increased rate of builds on ci.jenkins.io. Thanks to DigitalOcean for their continued support and ($8,400 credit) sponsorship of Jenkins. Ppc64le docker agent images are now available. Jenkins at cdCon + GitOpsCon! Contributed by: Wadeck Follonier In April, there was...
A remote code execution vulnerability has been identified in the Spring Framework. This vulnerability is identified as CVE-2022-22965. Spring officially reacted early in an early announcement. SpringShell in Jenkins Core and Plugins The Jenkins security team has confirmed that the Spring vulnerability is not affecting Jenkins Core. There is no impact because we are using Stapler as a servlet, and neither Spring MVC nor Spring...
A critical security vulnerability has been identified in the popular "Apache Log4j 2" library. This vulnerability is identified as CVE-2021-44228. Log4j in Jenkins The Jenkins security team has confirmed that Log4j is not used in Jenkins core. Jenkins plugins may be using Log4j. You can identify whether Log4j is included with any plugin by running the following Groovy script in the Script Console: org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource If this results...
This is a speaker blogpost for a DevOps World | Jenkins World 2019 talk in Lisbon, Portugal Come join us at DevOps World | Jenkins World 2019 for "Thinking about Jenkins Security", a talk about securing your Jenkins server. We’ll review the layers that secure Jenkins and describe techniques that you can use to protect your Jenkins server. Topics will include: The secure by...
About API tokens Jenkins API tokens are an authentication mechanism that allows a tool (script, application, etc.) to impersonate a user without providing the actual password for use with the Jenkins API or CLI. This is especially useful when your security realm is based on a central directory, like Active Directory or LDAP, and you don’t want to store your password in scripts. Recent versions...