April was a very good month for the Jenkins community as they published a long list of security advisories. Many but not all of them fixed by the time the announcement was made.
https://jenkins.io/security/advisory/2019-04-03/
When we ship a Jenkins Managed Service we only ship it with the built-in plugins and we advise our customers to be cautious about installing plugins. How we go about figuring if a plugin is necessary is an art but can be shortened to
if you can achieve a similar task by executing code via the command line or better in a shared library, it is probably safer to just do that because not all plugins are created equal.
Personally, my perspective is more conservative the CICD platform is a mission-critical platform and as a result, we need to manage it seriously.
The more plugins, the more moving parts, the riskier.
The next advisory we dealt with was this one.
https://jenkins.io/security/advisory/2019-04-10/
Affected Versions
- Jenkins weekly up to and including 2.171
- Jenkins LTS up to and including 2.164.1
Fix
- Jenkins weekly should be updated to version 2.172
- Jenkins LTS should be updated to version 2.164.2
We upgraded all our installations the same day that this was released. We have the ability to perform upgrade simulations which we can use to test installations before we upgrade. The process takes a little time but it guarantees our customers no disruptions. The next two advisories did not affect any of our customers but we've listed them now.
https://jenkins.io/security/advisory/2019-04-17/
Affected plugins
- Azure PublisherSettings Credentials Plugin up to and including 1.2
- GitLab Plugin up to and including 1.5.11
- jira-ext Plugin up to and including 0.8
- ontrack Jenkins Plugin up to and including 3.4
- XebiaLabs XL Deploy Plugin up to and including 7.5.3
Fixed Plugins
- Azure PublisherSettings Credentials Plugin should be updated to version 1.5
- GitLab Plugin should be updated to version 1.5.12
- jira-ext Plugin should be updated to version 0.9
- ontrack Jenkins Plugin should be updated to version 3.4.1
https://jenkins.io/security/advisory/2019-04-30/
Affected Versions
- Ansible Tower Plugin up to and including 0.9.1
- Aqua MicroScanner Plugin up to and including 1.0.5
- Azure AD Plugin up to and including 0.3.3
- GitHub Authentication Plugin up to and including 0.31
- Koji Plugin up to and including 0.3
- Self-Organizing Swarm Plug-in Modules Plugin up to and including 3.15
- SiteMonitor Plugin up to and including 0.5
- Static Analysis Utilities Plugin up to and including 1.95
- Twitter Plugin up to and including 0.7
Fix
- Ansible Tower Plugin should be updated to version 0.9.2
- Aqua MicroScanner Plugin should be updated to version 1.0.6
- Azure AD Plugin should be updated to version 0.3.4
- GitHub Authentication Plugin should be updated to version 0.32
- SiteMonitor Plugin should be updated to version 0.6
- Static Analysis Utilities Plugin should be updated to version 1.96
Security is very important, it is also quite challenging to wrangle sometimes but it is a necessary part of our work and an aspect of our work we'll keep improving.
We will be doing daily security reviews and sharing more information about this process online. All our security features are included across all plans. Here are a few features I'd like to point out.
Some security-specific features we offer customers
- They can provide a cross-account role to remove the need for having credentials on our platform.
- We offer a comprehensive Role-Based-Access-Control to limit permissions and dependencies on the platform.
- We turn off master execution by default.
- Built-in CSRF Security Protection
- HTTP Header Security protections via X-Frame Options