For years, the Jenkins project has received reports of remote code execution (RCE) attacks involving Remoting and/or XStream. Typically the attacks involve fairly exotic classes in the Java Platform, or sundry libraries such as Groovy. The Jenkins CERT has responded to such reports reactively, by blacklisting the affected classes or packages. That approach has proven unmaintainable, and in JENKINS-47736 we have switched blacklist to the whitelist.
JEP sponsors and reviewers invested significant time into testing plugins, but there is an obvious risk that particular plugins use types which are not covered in the whitelists. In this document we track such plugins and known issues so that Jenkins administrators can update timely and/or apply workarounds.
Links
- JEP-200 - Jenkins Enhancement Proposal
- Announcement blogpost
JEP-200
- Label for related issues in Jenkins JIRA (query)- JEP-200 Post-release maintenance (before May 01 - by JEP-200 maintainers, afterwards - by plugin maintainers)
Workarounds
- Workarounds can be applied on both Jenkins administrator and plugin developer sides
- Workarounds are described in the JEP-200 blogpost
Affected plugins
The table provides a list of plugin which were affected by JEP-200 in Jenkins 2.102+. "Status" column reflects the current state, fixes may be applied on a plugin and/or on the core side. Note that this list is not exhaustive.
If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. In this list we track only plugins with issues in the production code. Issues in test classes are tracked separately.
More importantly, please file a bug report with the JEP-200
label, if one doesn't exist, to help ensure that the appropriate plugin maintainer is informed.
Plugins hosted in main Jenkins Update Center
Plugin name | Serialization type | Behaviour | Issue / pull request | Status |
---|---|---|---|---|
Priority Sorter | XStream | Unnecessary serialization of a type from Apache Ant | PR #42 | Fixed in 3.6.0 |
Saltstack | Remoting | JSONObject serialization in HttpCallable | PR #116 | Fixed in 3.1.4, upgrade. |
Remoting | Unnecessary serialization of a | Fixed in 2.2.1, upgrade. | ||
Project Description Setter | XStream | Unnecessary serialization of a Charset | PR #2 | Fixed in 1.2 |
Publish Over CIFS | XStream | Various errors, core functionality is affected | commit | Fixed in 0.6 |
XStream | Various errors, core functionality is affected | JENKINS-48926 | Fixed in 1.2.2 | |
XStream | Various errors, core functionality is affected | commit | Fixed in 1.13 | |
XStream | Various errors, core functionality is affected | JENKINS-48920 | Fixed in 1.18 | |
CRX Content Pack Deployer | Remoting | Serialization of classes from external lib. Execution on agents may be impacted | PR #8 | Fixed in 1.8.1 |
PRQA | Remoting | Serialization of PRQAComplianceStatus from a 3rd-party library. The plugin won't work on agents. | JENKINS-48939 | Fixed in 3.0.1 |
XStream | Serialization of java.util.EnumSet to the disk, which was not whitelisted | JENKINS-50939 | Fixed in Jenkins 2.119 and 2.107.3 Workaround: whitelist java.util.EnumSet | |
Nexus Platform | Remoting | Suspected error in IQ scans | Fixed in 1.6 Workaround: whitelist entries in PR #17 | |
TestLink | XStream | Serialization of classes from a 3rd-party library | Fixed in 3.13. For TestNG reporting update to Jenkins Core 2.104 is also required Workaround: whitelist entries in PR #29 | |
Remoting | Serialization of tap4j model classes when collecting TAP reports from the agents. | JENKINS-50445 | Fixed in 3.14 Workaround: Whitelist entries in PR #32 or install TAP plugin 2.2.1 or abover | |
TAP | XStream | Serialization of classes from a 3rd-party tap4j library | JENKINS-48925 | Fixed in 2.2.1 Workaround: whitelist entries in PR #20 |
Build Failure Analyzer | XStream | Serialization of classes from a 3rd-party library | JENKINS-48932 | Fixed in 1.19.2, Also update Gerrit Trigger to 2.27.2 if it is installed |
Gerrit Trigger | XStream | Serialization of classes from a 3rd-party library | JENKINS-48943 | Fixed in 2.27.2 |
Build Name Setter | XStream | Serialization of PrintStream over to the disk (for logging purposes) | Fixed in 1.6.8 | |
GitHub Pull Request Builder | XStream | Serialization of classes from a 3rd-party GitHub API library | JENKINS-48950 | Fixed in 1.40.0 |
ConfigFileProvider | XStream | Serialization of non-whitelisted Java internal classes, confirmed for instances which perform data migration for old builds | JENKINS-48956 | Fixed in 2.17 and in Jenkins 2.103 |
OctoPerf Load Testing | XStream | Serialization of non-whitelisted Java internal classes | Fixed in Jenkins 2.103 | |
Reverse Proxy Auth | XStream | Persistence of caches on the disk due to the plugin defect | JENKINS-48970 | Fixed in 1.6.0 The release includes many historical changes, please raise issues if you see any regressions. |
Artifactory | Remoting | Serialization of classes from 3rd-party libraries (Artifact, etc.). Executions on agents may fail | JENKINS-48983 | Fixed in Workaround: N/A (too many affected classes), upgrade is required |
Anchore Container Image Scanner | XStream | Serialization of Guava classes and JSONObjects to the disk | JENKINS-48989 | Fixed in 1.0.13 |
Android Lint (and possibly other plugins based on Analysis Core) | Remoting | Lint Publisher serializes non-whitelisted classes. | JENKINS-49016 | Fixed in Jenkins 2.103 |
XStream and Remoting | Serialization of non-whitelisted Java internal classes | Fixed in 1.21 | ||
PVCS SCM | XStream | Serialization of org.apache.commons.logging.Log to the disk | Fixed in 1.2, upgrade. | |
XStream | Serialization of java.util.RandomAccessSubList to the disk in the Extensible Choice Test Area Parameter | Fixed in 1.4.2 Workaround: Whitelist entries in PR #33 | ||
RunDeck | XStream | Serialization of classes from a 3rd-party library | JENKINS-49074 | Fixed in 3.6.4 Workaround: Whitelist entries in PR #33 |
GitHub Integration | XStream | Serialization of non-whitelisted Java internal classes | Issue #253 | Fixed in Jenkins Core 2.104 Workaround: Whitelist entries in Core PR #3253 |
RabbitMQ Consumer | XStream | Serialization of classes from a 3-rd party library | JENKINS-49083 | Fixed in 2.8 |
Maven Integration | XStream | Serialization of caches | JENKINS-49089 | Fixed in 3.1 |
Remoting | Serialization of Maven model objects | JENKINS-50251 | Fixed in 3.1.1 Workaround: avoid | |
Cucumber JSON Test Reporting | Remoting | Serialization of classes from a 3-rd party library | JENKINS-49101 | Fixed in 0.10.1 |
Mesos | XStream | Serialization of java.util.concurrent.locks.ReentrantLock to the disk | Fixed in 0.15.1 | |
XStream | Serialization of JSONObject when "MesosCloud > Slave Info" is defined | JENKINS-50303 | Fixed in 0.16 | |
Sonar Quality Gates | XStream | Serialization of HttpClient and HttpClientContext class | JENKINS-49130 | Fixed in 1.2.0 |
XStream | Serialization of ReentrantLock and other utility classes | Won't do The plugin is deprecated and depublished due to the known security issues (advisory). JEP-200 maintainers do not plan to offer a fix though somebody else may do that. | ||
Last Changes | XStream | Uncorrect caching of SimpleDateFormat | JENKINS-49176 | Fixed in 2.6 |
Job DSL | XStream | Serialization of generated views. No impact on build execution. | JENKINS-49175 | Fixed in 1.67 |
Pipeline :: Declarative | XStream | Storage of BigDecimal and BigInteger in AST model when values like "0.1" are declared in the Pipeline definition | JENKINS-49070 | Fixed in Jenkins Core 2.104. Also: PR #239. |
OWASP Dependency-Check | Remoting | Serialization of classes from 3rd-party libs | PR #20 | Fixed in 3.1.1 |
Remoting / XStream | Serialization of non-whitelisted Java-internal classes | Fixed in 1.2 Workaround: whitelist entries in PR #2 | ||
XStream | Serialization of 3rd-party classes from GitHub API | Fixed in 2.0 | ||
S3 | XStream | Serialization of non-whitelisted com.amazonaws.regions.Region in S3 Publisher | Fixed in 0.11.0 Workaround: whitelist entries in PR #112 | |
XStream | Serialization of 3rd-party classes to the disk | Fixed in 3.0.7 Workaround: whitelist entries there | ||
CVS | Remoting | Serialization of non-whitelisted Java-internal classes | JENKINS-49574 | Fixed in 2.14 Workaround: Whitelist the following classes OR Restart Jenkins between each build (only the first build works). |
XStream | Serialization of non-whitelisted Guava collection classes | Fixed in 1.3.0 Workaround: Whitelist classes in PR #23 | ||
XStream | Serialization of parser classes, which use fields from 3-rd party libraries. | Fixed in 1.3.0 Workaround: N/A | ||
XStream | The plugin serializes blacklisted PowerAssertionError type in the case of user-defined assertions in Pipeline scripts. | Fixed in 2.26 | ||
Filesystem List Parameter | XStream | Serialization of non-whitelisted Java-internal classes | JENKINS-49649 | Fixed in 0.0.4 |
Unreliable Slave | XStream | Serialization of InternetAddress class | JENKINS-49650 | Assigned to the maintainer Workaround: Whitelist javax.mail.internet.InternetAddress |
Doktor | XStream | Serialization of non-whitelisted classes from Kotlin standard template library | JENKINS-49699 | Assigned to the maintainer Workaround: N/A |
Packer | Remoting & XStream | Serialization of blacklisted JSONObject classes | JENKINS-49715 | Fixed in 1.5 |
XStream | Serialization of blacklisted JSONObject classes to the disk in the build step configuration. | Assigned to the maintainer Workaround: N/A, whitelisting of JSONObject is not recommended | ||
PTC Integrity CM | XStream | Accidental serialization of Derby connection information. | JENKINS-50001 | Fixed in 2.2 |
Performance | XStream | Serialization of cached DateFormatter classes in the Global configuration. Limited impact on users. | Fixed in 3.6, PR #162 | |
XStream | Improper serialization if DateFormat classes in the JMeterCsvParser | JENKINS-51703 | fix pending, PR #170 | |
Google OAuth Credentials (and dependent plugins) | XStream | Serialization of non-whitelisted org.joda.time classes in RemotableGoogleCredentials and child classes | Fixed in 0.6 | |
AWS CodeBuild | XStream | Serialization of non-whitelisted 3rd-party classes | JENKINS-50264 | Fixed in 0.20 Workaround: whitelist entries in PR #7 |
Cucumber Living Documentation | XStream | Serialization of Logger classes to the disk | JENKINS-50271 | Fixed in 2.1.2 |
Monitoring | Remoting | Serialization of model objects over the channel in old versions of the plugin | JENKINS-50280 | Fixed in 1.71.0 Workaround: Jenkins core includes whitelist for versions 1.68.0+, but older versions need update |
XStream | Serialization of model objects from internal library, which is not properly whitelisted | Confirmed, waiting for a response from a maintainer Workaround: use JUnit Realtime Test Reporter instead | ||
XStream | Persistency of EC2FleetCloud cache objects on the disk | Fixed in 1.1.6 | ||
Subversion | Remoting | Serialization of non-whitelisted error message classes when a checkout error happens on agents. | JENKINS-50339 | Fixed in 2.10.5 |
Pipeline: Job | XStream | Plugin generates warnings when loading Runs performed by plugin versions before 1.14 (released on 25 Feb 2016) | JENKINS-50350 | Fixed in 2.19 |
Pipeline Utility Steps | Remoting | findFiles() Pipeline step may fail to deserialize response if the step is invoked for non-existent folder OR if the pattern is invalid | JENKINS-50237 | Fixed in 2.0.2 and in Jenkins Core 2.113 |
XStream | readMavenPom() and writeMavenPom() use non-whitelisted Maven model classes in their API. writeMavenPom() will always fail if Pipeline: CPS is not updated to 2.48+ (JENKINS-50752) | JENKINS-50633 | Fixed in 2.1.0 Workaround: Update Pipeline: CPS is not updated to 2.48+ | |
TestFairy | Remoting | Serialization of blacklisted JSONObject classes in the iOS report publisher | JENKINS-50424 | Fixed in 4.16 |
Consul | XStream | Serialization of blacklisted JSONObject classes to the disk in Global Configuration. Plugin settings won't be loaded/saved correctly. | JENKINS-50463 | Confirmed, Assigned to the maintainer |
Dr. Memory | XStream | Serialization of Run actions with non-whitelisted 3rd-party classes | JENKINS-50460 | Fixed in 1.5 |
Docker | XStream | Serialization of non-whitelisted classes from 3rd party docker-java library. | JENKINS-50480 | Fixed in 1.1.3 |
Black Duck Hub | XStream | Serialization of non-whitelisted 3rd-party classes | Fixed in 3.1.0 | |
AWS Device Farm | XStream | Unnecessary serialization of java.io.PrintStream to the disk. | Fixed in 1.16 | |
XStream | Unnecessary serialization of DateFormatter classes to the disk, risk of concurrency issues. | Fix Pending, PR #35 | ||
aRESTocats | XStream | Serialization of blacklisted JSONArray classes in the Arestocats report publisher | Fixed in 1.1 | |
Docker Traceability | XStream | Serialization of non-whitelisted Docker Java and internal classes in Docker Traceability Report data structure within Fingerprints | JENKINS-50509 | Assigned to the maintainer unconfirmed, revealed by code investigation |
Google Compute Engine | XStream | Serialization of non-whitelisted 3rd-party classes | Assigned to the maintainer Workaround: N/A | |
CI Skip (and probably other plugins using Ruby Runtime) | XStream | Serialization of non-whitelisted classes from Ruby Runtime | Fixed in Jenkins 2.119 and 2.107.3. Follow-up ticket to patches on the plugin side: JENKINS-51074 Workaround: whitelist org.jruby.RubyNil | |
Kubernetes CD | Remoting | Serialization of non-whitelisted Jackson Databind classes | JENKINS-50760 | Fixed in 0.2.1 Generic issue propagation issue was fixed in 2.113+ by JENKINS-50237 |
Allure | XStream | Serialization of the non-whitelisted WeakReference class | Allure Plugin Issue #192 | Fixed in 2.26.0 |
XStream | Serialization of the non-whitelisted WeakReference class in cache objects | confirmed by code inspection | ||
XStream | Serialization of the non-whitelisted WeakReference class in cache objects | Fix pending, PR #12 | ||
XStream | Serialization of non-whitelisted classes from the Java Gitlab API library | confirmed | ||
Kubernetes | Remoting | Seerialization of non-whitelisted from the Fabric8 Kubernetes API library in cases when agent provisioning fails with client exception | JENKINS-50959 | confirmed, low impact |
Pipeline: CPS | XStream | Non-serializable arguments (e.g. non-whitelisted classes) in Pipeline steps may lead to Pipeline failures, even if these steps are invoked within the NonCPS context | JENKINS-50752 | Fixed in 2.48 |
XStream | Unnecessary serialization of java.io.PrintStream to the disk. JEP-200 issue may be triggered by other plugins persisting Job objects in the run | Assigned to the maintainer | ||
Gatling | XStream | Unnecessary serialization of java.io.PrintStream to the disk in the Gatling Publisher step. JEP-200 issue may be triggered by other plugins persisting Job objects in the run | JENKINS-50977 | Fixed in 1.2.3 |
CloudCoreo DeployTime | XStream | Unnecessary serialization of java.io.PrintStream to the disk in the CloudCoreo Deploy Wrapper. JEP-200 issue may be triggered by other plugins persisting Job objects in the run | JENKINS-50978 | Assigned to the maintainer not confirmed, discovered by code inspection |
LoaderIO | XStream | Unnecessary serialization of java.io.PrintStream to the disk in the LoaderIO publisher. JEP-200 issue may be triggered by other plugins persisting Job objects in the run | JENKINS-50979 | Assigned to the maintainer not confirmed, discovered by code inspection |
MicroFocus DA | XStream | Unnecessary serialization of java.io.PrintStream to the disk in the DA deployment step. JEP-200 issue may be triggered by other plugins persisting Job objects in the run | JENKINS-50980 | Assigned to the maintainer not confirmed, discovered by code inspection. The plugin has never been released |
IBM Security AppScan Source Scanner | XStream | Unnecessary serialization of java.io.PrintStream to the disk in the AppScan Source scanner step. JEP-200 issue may be triggered by other plugins persisting Job objects in the run | JENKINS-50981 | Assigned to the maintainer not confirmed, discovered by code inspection |
IBM Security AppScan Standard Scanner | XStream | Unnecessary serialization of java.io.PrintStream to the disk in the AppScan Standard scanner step. JEP-200 issue may be triggered by other plugins persisting Job objects in the run | JENKINS-50982 | Assigned to the maintainer not confirmed, discovered by code inspection |
Load Testing for LoadFocus.com | XStream | Unnecessary serialization of java.io.PrintStream to the disk in the AppScan Standard scanner step. JEP-200 issue may be triggered by other plugins persisting Job objects in the run | JENKINS-50983 | Assigned to the maintainer not confirmed, discovered by code inspection |
Git Changelog | XStream | Serialization of non-whitelisted classes from Git Changelog Lib | JENKINS-50990 | Fixed in 2.3 |
Whitesource | Remoting | Serialization of non-whitelisted 3rd-party classes | JENKINS-51025 | Fixed in 18.3.2 |
ClearCase UCM | XStream | Unnecessary serialization of java.io.PrintStream, DateFormat and 3-rd party libraries | JENKINS-51105 | confirmed |
Filesystem Trigger | Remoting | Serialization of non-whitelisted classes from the XTrigger Lib | JENKINS-51211 | confirmed |
XStream | Unnecessary serialization of java.io.PrintStream, DateFormat | Fixed in 2.3 | ||
Remoting | Serialization of the non-whitelisted net.sf.saxon.expr.CardinalityChecker class while processing reports on agents | Fixed in 2.0.1 confirmed for version 2.0.0 Workaround: use previous releases | ||
XStream | Serialization of Logger classes from SLF4J | confirmed | ||
XStream | Serialization of non-whitelisted classes from the 3rd-party Liquibase library | confirmed Workaround: N/A. The plugin is depublished due to other security issues in the code (SECURITY-519) | ||
XStream | Serialization of classes which from a bundled library within the project. Also there is unnecessary serialization of java.io.PrintStream to the disk | discovered by code inspection, not confirmed | ||
XStream | Unnecessary serialization of the org.slf4j.impl.JDK14LoggerAdapter class | Fixed in 0.9.7 (2.121.x is a minimal required baseline) | ||
GitLab | XStream | Serialization of non-whitelisted classes from the GitLab API library | JENKINS-51691 | confirmed |
HTTP Request | Remoting | Serialization of a non-whitelisted org.apache.http.HttpHost class when HTTP Proxy is configured in the plugin | JENKINS-51741 | confirmed |
XStream | Serialization of blacklisted JSONObject classes | JENKINS-51909 | Fixed in 8.0.13. | |
HPE Application Automation Tools (aka Micro Focus Application Automation Tools) | XStream | Serialization of non-whitelisted classes from a third-party library | Fixed in 5.4.2-beta | |
Kubernetes :: Pipeline :: Kubernetes Steps | Remoting | Serialization of non-whitelisted classes from a third-party library | JENKINS-49506 | worked around in core 2.102; plugin patch merged but unreleased |
PIT Mutation | XStream | Serialization of non-whitelisted classes from a third-party library | confirmed | |
Logstash | XStream | Serialization of non-whitelisted Charset classes to the disk when RabbitMQ is configured as a logging destination | confirmed | |
XStream | Serialization of org.apache.tools.ant.Location, which is not whitelisted in Jenkins 2.107.1 | Fixed in Jenkins 2.107.2 | ||
Quay.io Trigger Plugin | XStream | Serialization of JSONObject classes. | JENKINS-54406 | |
Parameterized Remote Trigger Plugin | XStream | JENKINS-56770 | ||
Checkmarx | Remoting | JENKINS-57796 |
Other 3rd-party plugins
This section tracks reports to plugins, which are not available in official Jenkins update centers. For these plugins Jenkins JEP-200 do NOT commit to investigate/fix defects (especially for closed-source plugins).
Plugin name | Serialization type | Behaviour | Issue / pull request | Status |
---|---|---|---|---|
CA Release Automation | XStream | Serialization of JSONObject classes. | JENKINS-49431 | Vendor notified |
Nexus Jenkins Plugin | XStream | Serialization of non-whitelisted Server Configuration class in "Insight Link" | JENKINS-50257 | Vendor notified Workaround: Use open-source Nexus Platform Plugin instead |
StormRunnerPlugin | XStream | Unnecessary serialization of java.io.PrintStream to the disk. | JENKINS-50594 | Workaround: Whitelist java.io.PrintStream (not recommended) |
Shiro Plugin | XStream | Serialization of Run actions with non-whitelisted 3rd-party classes | JENKINS-50781 | Developer notified |
Other affected components/configurations
In addition to Jenkins plugin, some other components have been affected by JEP-200.
Component/Configuration | Behaviour | Issue(s) | Status/mitigation |
---|---|---|---|
Jenkins running in Apache Tomcat web container | Jenkins 2.102 and later could fail to start or run properly when loaded inside certain containers, including old versions of Tomcat. | Fixed in 2.107.1/2.108 Workaround: Use the latest Apache Tomcat server (8.0.50 or above) | |
Jenkins Core | Derialization of exceptions with non-whitelisted fields may cause errors. Jenkins core is affected by that, because its FilePath#list(String includes, String excludes, boolean defaultExcludes) method may throw such kind of exception if the specified includes/excludes patters are invalid or if the target directory does not exist. It may cause regressions in plugins like Pipeline Utility Steps which use the API. | JENKINS-50237 | Fixed in 2.113 and 2.107.2 The fix applies a patch for a particular JENKINS-50237 issue. In order to be protected from the entire class of issues, Remoting needs to be upgraded to 3.19 on all agents |