This vulnerability affects all users of Jenkins Pipeline, and not just those running a Groovy library Pipeline plugin. All users are strongly advised to update their installations as soon as possible. If you are running a version of Jenkins that supports plugins, you must upgrade to a version that supports plugins. To update your installation, go to the Plugins page in your Jenkins web interface, choose the Groovy library you wish to update, and click the Update button.
Summary of affected versions
CVE-2022-43405 is a critical vulnerability that affects all users of Jenkins Pipeline. This vulnerability affects all versions of Jenkins Pipeline, and not just those running the Groovy library plugin. All users are strongly advised to update their installation as soon as possible. If you are running a version of Jenkins that supports plugins, you must upgrade to a version that supports plugins. To update your installation, go to the Plugins page in your Jenkins web interface, choose the Groovy library you wish to update, and click the Update button.
Description of the vulnerability
The Groovy plugin for Jenkins Pipeline is vulnerable to remote command execution. This vulnerability affects all users of the Groovy library Pipeline plugin, and not just those running a Groovy library Pipeline plugin. All users are strongly advised to update their installations as soon as possible.
How do I know if I'm affected?
If you are using the Jenkins Pipeline plugin for Groovy, then you are at risk.
Symptoms of the CVE
At the time of this writing, the Jenkins Pipeline Groovy library has been patched and is now safe to use. Users are advised to upgrade to version 1.122.0 or greater as soon as possible in order to ensure that they have updated their pipeline plugins and have no further exposure to the vulnerability.
The symptoms of this vulnerability vary depending on how your systems are configured, but they typically include a Jenkins build failing with an error like:
"java.lang.NoSuchMethodError: groovy/scripts/ScriptRunner.exit()Ljava/lang/Throwable;"
These errors may also occur when running a Build step, like Build a WAR artifact, Build a Maven project, etc., and may be accompanied by other errors such as "Exception in thread "main" java.lang.RuntimeException: Failed in script 'build-project-with-arguments' of plugin 'default': Script exited with code 1."
What is Jenkins Pipeline?
Jenkins Pipeline is an open source tool for developers who want to automate their build process. This tool provides a point-and-click interface for building, testing, and deploying software from code through to production. Jenkins Pipeline is available as an extension for the popular open source continuous integration server called Jenkins.
With Jenkins Pipeline, you can build and deploy software from scratch. You can also use it as a development environment to test your software with realistic production data before deploying it to production. Additionally, you can automatically trigger multiple processes in a pipeline through triggers that you specify based on changes in values of certain fields or events occurring on other systems such as pull request creation on GitLab.
Although this vulnerability affects all users of Jenkins Pipeline, not just those running Groovy library Plugin, we strongly advise all users to update their installations as soon as possible due to the severity of the vulnerability.
Timeline
Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 19:01:00 UTC