Q
Problem solve Get help with specific problems with your technologies, process and projects.

How can the Jenkins vulnerabilities in plug-ins be mitigated?

A wave of Jenkins vulnerabilities related to plug-ins were recently discovered. Expert Judith Myerson explains the flaws and how enterprises should mitigate them.

Jenkins, an open source tool for building and testing DevOps apps, had several vulnerabilities disclosed this year,...

particularly around plug-ins. How can we stop an attacker from exploiting these Jenkins vulnerabilities?

The best way to stop an attacker from exploiting Jenkins vulnerabilities is to visit the Jenkins Security Advisory website and read what fixes have been released for the affected plug-ins on platforms and Docker containers.

Some vulnerable plug-ins have dependencies -- required or optional -- that may or may not be affected. In an advisory on multiple affected plug-ins, the severity of each of the Jenkins vulnerabilities is listed as low, medium or high.

Maintaining a list of plug-ins would make it easier for the DevOps team to locate the affected plug-ins and plan for updates. The list should also provide the versions of Jenkins -- and Java, in some cases -- required for successful implementation of the plug-in updates. The required Jenkins version depends on the bug fix releases and new features the team has chosen to receive -- either long-term support or weekly releases.

In an advisory published on Aug. 8, 2017, more Jenkins vulnerabilities were announced -- this time a low-severity vulnerability in the Security Assertion Markup Language (SAML) plug-in that resulted in passwords being stored unencrypted. The vulnerability could lead to the exposure of passwords through browser extensions and cross-site scripting vulnerabilities.

The SAML plug-in now stores encrypted passwords. Users are advised to update the plug-in to version 1.0.3 or later. The SAML page shows Jenkins 2.60.1 and Java 8 as the minimum requirements for a proper plug-in update.

The Aug. 7, 2017 advisory published five high, five medium and two low Jenkins vulnerabilities. The vulnerability in the Datadog plug-in is a high-severity flaw. An API key stored on an encrypted disk can be transmitted in plain text.

The plug-in now encrypts the API key transmitted to administrators viewing the global configuration form. It doesn't have plug-in dependencies.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to secure Jenkins for fast and safe app delivery

Find out how the declarative Jenkins pipeline helps with DevOps

Check out the effects of the death of the Java browser plug-in

This was last published in September 2017

Dig Deeper on Web application and API security best practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close