Wednesday, January 9, 2019

Jenkins security release: Script Security sandbox bypass

The Jenkins security team has published a Jenkins Security Advisory announcing a new vulnerability in some Jenkins plugins. This vulnerability bypasses the Jenkins sandbox protection in the Script Security Plugin and Pipeline Plugins, which allows an attacker to execute arbitrary code on the Jenkins primary node.

It is strongly recommended that you update your Jenkins’ plugins to their latest versions. You can follow our documentation to learn how to upgrade them. Below is the list of affected plugins and the versions you should upgrade to:

  • Pipeline: Declarative Plugin should be updated to version
  • Pipeline: Groovy Plugin should be updated to version 2.61.1
  • Script Security Plugin should be updated to version 1.50

You can find more information about the Jenkins security announcement in the Jenkins Security Advisory.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team has already updated our different solutions with the new versions of each plugin and we are working on updating the different marketplaces as soon as possible.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum and we will be happy to help you.