Jenkins : Plugins affected by fix for JEP-200

For years, the Jenkins project has received reports of remote code execution (RCE) attacks involving Remoting and/or XStream. Typically the attacks involve fairly exotic classes in the Java Platform, or sundry libraries such as Groovy. The Jenkins CERT has responded to such reports reactively, by blacklisting the affected classes or packages. That approach has proven unmaintainable, and in JENKINS-47736 we have switched blacklist to the whitelist.

JEP sponsors and reviewers invested significant time into testing plugins, but there is an obvious risk that particular plugins use types which are not covered in the whitelists. In this document we track such plugins and known issues so that Jenkins administrators can update timely and/or apply workarounds.

Workarounds

  • Workarounds can be applied on both Jenkins administrator and plugin developer sides
  • Workarounds are described in the JEP-200 blogpost

Affected plugins

The table provides a list of plugin which were affected by JEP-200 in Jenkins 2.102+. "Status" column reflects the current state, fixes may be applied on a plugin and/or on the core side. Note that this list is not exhaustive.

If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. In this list we track only plugins with issues in the production code. Issues in test classes are tracked separately.

More importantly, please file a bug report with the JEP-200 label, if one doesn't exist, to help ensure that the appropriate plugin maintainer is informed. 

Plugins hosted in main Jenkins Update Center

Plugin name

Serialization type

Behaviour

Issue / pull request

Status

Priority SorterXStreamUnnecessary serialization of a type from Apache AntPR #42Fixed in 3.6.0
SaltstackRemotingJSONObject serialization in HttpCallablePR #116Fixed in 3.1.4, upgrade.

CloudBees DockerHub Notification

Remoting

Unnecessary serialization of a JSONObject

PR #16

Fixed in 2.2.1, upgrade.

Project Description SetterXStreamUnnecessary serialization of a CharsetPR #2

Fixed in 1.2

Publish Over CIFSXStreamVarious errors, core functionality is affectedcommitFixed in 0.6

Publish Over Dropbox

XStreamVarious errors, core functionality is affectedJENKINS-48926Fixed in 1.2.2

Publish over FTP

XStreamVarious errors, core functionality is affectedcommitFixed in 1.13

Publish over SSH

XStreamVarious errors, core functionality is affectedJENKINS-48920


Fixed in 1.18
CRX Content Pack DeployerRemotingSerialization of classes from external lib. Execution on agents may be impactedPR #8Fixed in 1.8.1
PRQARemotingSerialization of PRQAComplianceStatus from a 3rd-party library. The plugin won't work on agents.JENKINS-48939Fixed in 3.0.1
XStreamSerialization of java.util.EnumSet to the disk, which was not whitelistedJENKINS-50939

Fixed in Jenkins 2.119 and 2.107.3

Workaround: whitelist java.util.EnumSet

Nexus PlatformRemotingSuspected error in IQ scans

Fixed in 1.6

Workaround: whitelist entries in PR #17

TestLinkXStreamSerialization of classes from a 3rd-party library

JENKINS-48924, JENKINS-48995, JENKINS-49228

Fixed in 3.13. For TestNG reporting update to Jenkins Core 2.104 is also required

Workaround: whitelist entries in PR #29

RemotingSerialization of tap4j model classes when collecting TAP reports from the agents.JENKINS-50445

Fixed in 3.14

Workaround: Whitelist entries in PR #32 or install TAP plugin 2.2.1 or abover

TAPXStreamSerialization of classes from a 3rd-party tap4j libraryJENKINS-48925

Fixed in 2.2.1

Workaround: whitelist entries in PR #20 

Build Failure AnalyzerXStreamSerialization of classes from a 3rd-party libraryJENKINS-48932Fixed in 1.19.2, Also update Gerrit Trigger to 2.27.2 if it is installed
Gerrit TriggerXStreamSerialization of classes from a 3rd-party libraryJENKINS-48943Fixed in 2.27.2 
Build Name SetterXStreamSerialization of PrintStream over to the disk (for logging purposes)Fixed in 1.6.8
GitHub Pull Request BuilderXStreamSerialization of classes from a 3rd-party GitHub API libraryJENKINS-48950Fixed in 1.40.0
ConfigFileProviderXStreamSerialization of non-whitelisted Java internal classes, confirmed for instances which perform data migration for old buildsJENKINS-48956Fixed in 2.17 and in Jenkins 2.103
OctoPerf Load TestingXStreamSerialization of non-whitelisted Java internal classes

Fixed in Jenkins 2.103

Reverse Proxy AuthXStreamPersistence of caches on the disk due to the plugin defectJENKINS-48970

Fixed in 1.6.0

The release includes many historical changes, please raise issues if you see any regressions.

ArtifactoryRemotingSerialization of classes from 3rd-party libraries (Artifact, etc.). Executions on agents may failJENKINS-48983

Fixed in 2.15.0

Workaround: N/A (too many affected classes), upgrade is required

Anchore Container Image ScannerXStreamSerialization of Guava classes and JSONObjects to the diskJENKINS-48989Fixed in 1.0.13
Android Lint (and possibly other plugins based on Analysis Core)RemotingLint Publisher serializes non-whitelisted classes.JENKINS-49016

Fixed in Jenkins 2.103

Pipeline: AWS

XStream and Remoting

Serialization of non-whitelisted Java internal classes

JENKINS-49025

Fixed in 1.21
PVCS SCMXStreamSerialization of org.apache.commons.logging.Log to the disk

JENKINS-49024

Fixed in 1.2, upgrade.

Extensible Choice Parameter

XStreamSerialization of java.util.RandomAccessSubList to the disk in the Extensible Choice Test Area Parameter

JENKINS-49017

Fixed in 1.4.2

Workaround: Whitelist entries in PR #33

RunDeckXStreamSerialization of classes from a 3rd-party libraryJENKINS-49074

Fixed in 3.6.4

Workaround: Whitelist entries in PR #33 

GitHub IntegrationXStreamSerialization of non-whitelisted Java internal classesIssue #253

Fixed in Jenkins Core 2.104

Workaround: Whitelist entries in Core PR #3253

RabbitMQ ConsumerXStreamSerialization of classes from a 3-rd party libraryJENKINS-49083Fixed in 2.8
Maven IntegrationXStreamSerialization of cachesJENKINS-49089Fixed in 3.1
RemotingSerialization of Maven model objectsJENKINS-50251

Fixed in 3.1.1

Workaround: avoid ciNotification

Cucumber JSON Test ReportingRemotingSerialization of classes from a 3-rd party libraryJENKINS-49101

Fixed in 0.10.1

Workaround: whitelist entries in PR #12 & PR #13

MesosXStreamSerialization of java.util.concurrent.locks.ReentrantLock to the disk

JENKINS-49117

Fixed in 0.15.1

XStreamSerialization of JSONObject when "MesosCloud > Slave Info" is definedJENKINS-50303Fixed in 0.16
Sonar Quality GatesXStreamSerialization of HttpClient and HttpClientContext classJENKINS-49130Fixed in 1.2.0

Build Flow Plugin

XStreamSerialization of ReentrantLock and other utility classes

JENKINS-49144

Won't do

The plugin is deprecated and depublished due to the known security issues (advisory). JEP-200 maintainers do not plan to offer a fix though somebody else may do that.

Last ChangesXStreamUncorrect caching of SimpleDateFormatJENKINS-49176Fixed in 2.6
Job DSLXStreamSerialization of generated views. No impact on build execution.JENKINS-49175

Fixed in 1.67

Pipeline :: DeclarativeXStreamStorage of BigDecimal and BigInteger in AST model when values like "0.1" are declared in the Pipeline definitionJENKINS-49070

Fixed in Jenkins Core 2.104. Also: PR #239.

OWASP Dependency-CheckRemotingSerialization of classes from 3rd-party libsPR #20Fixed in 3.1.1

CppNCSS

Remoting / XStreamSerialization of non-whitelisted Java-internal classes

JENKINS-49237

Fixed in 1.2

Workaround: whitelist entries in PR #2

GitHub Autostatus

XStreamSerialization of 3rd-party classes from GitHub API

JENKINS-49294

Fixed in 2.0
S3XStreamSerialization of non-whitelisted com.amazonaws.regions.Region in S3 Publisher

JENKINS-49371

Fixed in 0.11.0

Workaround: whitelist entries in PR #112

Fortify on Demand Uploader

XStreamSerialization of 3rd-party classes to the disk

JENKINS-49377

Fixed in 3.0.7

Workaround: whitelist entries there

CVSRemotingSerialization of non-whitelisted Java-internal classesJENKINS-49574

Fixed in 2.14

Workaround: Whitelist the following classes OR Restart Jenkins between each build (only the first build works).

Matrix Configuration Parameter

XStreamSerialization of non-whitelisted Guava collection classes

JENKINS-49573

 Fixed in 1.3.0

Workaround: Whitelist classes in PR #23

JDepend

XStreamSerialization of parser classes, which use fields from 3-rd party libraries.

JENKINS-49586

Fixed in 1.3.0

Workaround: N/A

Pipeline: API

XStreamThe plugin serializes blacklisted PowerAssertionError type in the case of user-defined assertions in Pipeline scripts.

JENKINS-41751

Fixed in 2.26


Filesystem List ParameterXStreamSerialization of non-whitelisted Java-internal classesJENKINS-49649

Fixed in 0.0.4

Unreliable SlaveXStreamSerialization of InternetAddress classJENKINS-49650

Assigned to the maintainer

Workaround: Whitelist  javax.mail.internet.InternetAddress

DoktorXStreamSerialization of non-whitelisted classes from Kotlin standard template libraryJENKINS-49699

Assigned to the maintainer

Workaround: N/A

PackerRemoting & XStreamSerialization of blacklisted JSONObject classesJENKINS-49715

Fixed in 1.5

Openstack Heat

XStreamSerialization of blacklisted JSONObject classes to the disk in the build step configuration.

JENKINS-49964

Assigned to the maintainer

Workaround: N/A, whitelisting of JSONObject is not recommended

PTC Integrity CMXStreamAccidental serialization of Derby connection information.JENKINS-50001Fixed in 2.2
PerformanceXStreamSerialization of cached DateFormatter classes in the Global configuration. Limited impact on users.

JENKINS-49022

Fixed in 3.6, PR #162
XStreamImproper serialization if DateFormat classes in the JMeterCsvParserJENKINS-51703

fix pending, PR #170

Google OAuth Credentials (and dependent plugins)XStreamSerialization of non-whitelisted org.joda.time classes in RemotableGoogleCredentials and child classes

JENKINS-50216

Fixed in 0.6

AWS CodeBuildXStreamSerialization of non-whitelisted 3rd-party classesJENKINS-50264

Fixed in 0.20

Workaround: whitelist entries in PR #7

Cucumber Living DocumentationXStreamSerialization of Logger classes to the diskJENKINS-50271Fixed in 2.1.2
MonitoringRemotingSerialization of model objects over the channel in old versions of the pluginJENKINS-50280

Fixed in 1.71.0

Workaround: Jenkins core includes whitelist for versions 1.68.0+, but older versions need update

Test In Progress

XStreamSerialization of model objects from internal library, which is not properly whitelisted

JENKINS-50283

Confirmed, waiting for a response from a maintainer

Workaround: use JUnit Realtime Test Reporter instead

EC2 Fleet

XStreamPersistency of EC2FleetCloud cache objects on the disk

JENKINS-50318

Fixed in 1.1.6

SubversionRemotingSerialization of non-whitelisted error message classes when a checkout error happens on agents.JENKINS-50339Fixed in 2.10.5
Pipeline: JobXStreamPlugin generates warnings when loading Runs performed by plugin versions before 1.14 (released on 25 Feb 2016)JENKINS-50350

Fixed in 2.19

Pipeline Utility StepsRemoting

findFiles() Pipeline step may fail to deserialize response if the step is invoked for non-existent folder OR if the pattern is invalid

JENKINS-50237 Fixed in 2.0.2 and in Jenkins Core 2.113
XStream

readMavenPom() and writeMavenPom() use non-whitelisted Maven model classes in their API.

writeMavenPom() will always fail if Pipeline: CPS is not updated to 2.48+ (JENKINS-50752)

JENKINS-50633

Fixed in 2.1.0

Workaround: Update Pipeline: CPS is not updated to 2.48+

TestFairyRemotingSerialization of blacklisted JSONObject classes in the iOS report publisherJENKINS-50424

Fixed in 4.16

ConsulXStreamSerialization of blacklisted JSONObject classes to the disk in Global Configuration. Plugin settings won't be loaded/saved correctly.JENKINS-50463Confirmed, Assigned to the maintainer
Dr. MemoryXStreamSerialization of Run actions with non-whitelisted 3rd-party classesJENKINS-50460Fixed in 1.5
DockerXStreamSerialization of non-whitelisted classes from 3rd party docker-java library.JENKINS-50480Fixed in 1.1.3
Black Duck HubXStreamSerialization of non-whitelisted 3rd-party classes

JENKINS-50502

Fixed in 3.1.0 
AWS Device FarmXStreamUnnecessary serialization of java.io.PrintStream to the disk.

JENKINS-50483

Fixed in 1.16

FitNesse

XStreamUnnecessary serialization of DateFormatter classes to the disk, risk of concurrency issues.

PR #35

Fix Pending, PR #35
aRESTocatsXStreamSerialization of blacklisted JSONArray classes in the Arestocats report publisher

Issue #1

Fixed in 1.1
Docker TraceabilityXStreamSerialization of non-whitelisted Docker Java and internal classes in Docker Traceability Report data structure within FingerprintsJENKINS-50509

Assigned to the maintainer

unconfirmed, revealed by code investigation

Google Compute EngineXStreamSerialization of non-whitelisted 3rd-party classes

JENKINS-50566

Assigned to the maintainer

Workaround: N/A

CI Skip (and probably other plugins using Ruby Runtime)

XStreamSerialization of non-whitelisted classes from Ruby Runtime

JENKINS-50616

Fixed in Jenkins 2.119 and 2.107.3. Follow-up ticket to patches on the plugin side: JENKINS-51074

Workaround: whitelist org.jruby.RubyNil

Kubernetes CDRemotingSerialization of non-whitelisted Jackson Databind classesJENKINS-50760

Fixed in 0.2.1

Generic issue propagation issue was fixed in 2.113+ by JENKINS-50237

AllureXStreamSerialization of the non-whitelisted WeakReference classAllure Plugin Issue #192Fixed in 2.26.0

Japex

XStreamSerialization of the non-whitelisted WeakReference class in cache objects

JENKINS-50910

confirmed by code inspection

Multi-module Tests Publisher

XStreamSerialization of the non-whitelisted WeakReference class in cache objects

JENKINS-50911

Fix pending, PR #12

Gitlab Merge Request Builder

XStream

Serialization of non-whitelisted classes from the Java Gitlab API library

JENKINS-50957

confirmed
KubernetesRemotingSeerialization of non-whitelisted from the Fabric8 Kubernetes API library in cases when agent provisioning fails with client exceptionJENKINS-50959confirmed, low impact
Pipeline: CPSXStreamNon-serializable arguments (e.g. non-whitelisted classes) in Pipeline steps may lead to Pipeline failures, even if these steps are invoked within the NonCPS contextJENKINS-50752Fixed in 2.48

AWS CodeDeploy

XStreamUnnecessary serialization of java.io.PrintStream to the disk. JEP-200 issue may be triggered by other plugins persisting Job objects in the run

JENKINS-50974

Assigned to the maintainer
GatlingXStreamUnnecessary serialization of java.io.PrintStream to the disk in the Gatling Publisher step. JEP-200 issue may be triggered by other plugins persisting Job objects in the runJENKINS-50977Fixed in 1.2.3
CloudCoreo DeployTimeXStream

Unnecessary serialization of java.io.PrintStream to the disk in the CloudCoreo Deploy Wrapper. JEP-200 issue may be triggered by other plugins persisting Job objects in the run

JENKINS-50978

Assigned to the maintainer

not confirmed, discovered by code inspection

 LoaderIO XStreamUnnecessary serialization of java.io.PrintStream to the disk in the LoaderIO publisher. JEP-200 issue may be triggered by other plugins persisting Job objects in the runJENKINS-50979

Assigned to the maintainer

not confirmed, discovered by code inspection

MicroFocus DAXStreamUnnecessary serialization of java.io.PrintStream to the disk in the DA deployment step. JEP-200 issue may be triggered by other plugins persisting Job objects in the runJENKINS-50980

Assigned to the maintainer

not confirmed, discovered by code inspection. The plugin has never been released

IBM Security AppScan Source ScannerXStreamUnnecessary serialization of java.io.PrintStream to the disk in the AppScan Source scanner step. JEP-200 issue may be triggered by other plugins persisting Job objects in the runJENKINS-50981

Assigned to the maintainer

not confirmed, discovered by code inspection

IBM Security AppScan Standard ScannerXStreamUnnecessary serialization of java.io.PrintStream to the disk in the AppScan Standard scanner step. JEP-200 issue may be triggered by other plugins persisting Job objects in the runJENKINS-50982

Assigned to the maintainer

not confirmed, discovered by code inspection

Load Testing for LoadFocus.comXStreamUnnecessary serialization of java.io.PrintStream to the disk in the AppScan Standard scanner step. JEP-200 issue may be triggered by other plugins persisting Job objects in the runJENKINS-50983

Assigned to the maintainer

not confirmed, discovered by code inspection

Git ChangelogXStreamSerialization of non-whitelisted classes from Git Changelog LibJENKINS-50990Fixed in 2.3
WhitesourceRemotingSerialization of non-whitelisted 3rd-party classesJENKINS-51025Fixed in 18.3.2
ClearCase UCMXStreamUnnecessary serialization of java.io.PrintStream, DateFormat and 3-rd party librariesJENKINS-51105confirmed
Filesystem TriggerRemotingSerialization of non-whitelisted classes from the XTrigger LibJENKINS-51211confirmed

Audit Trail

XStreamUnnecessary serialization of java.io.PrintStream, DateFormat

JENKINS-51331

Fixed in 2.3

XUnit

RemotingSerialization of the non-whitelisted net.sf.saxon.expr.CardinalityChecker class while processing reports on agents

JENKINS-51465 JENKINS-51556 JENKINS-51561

Fixed in 2.0.1

confirmed for version 2.0.0

Workaround: use previous releases

Harvest

XStreamSerialization of Logger classes from SLF4J

JENKINS-51464

confirmed

Liquibase Runner

XStreamSerialization of non-whitelisted classes from the 3rd-party Liquibase library

JENKINS-51540

confirmed

Workaround: N/A. The plugin is depublished due to other security issues in the code (SECURITY-519)

Hue Light

XStreamSerialization of classes which from a bundled library within the project. Also there is unnecessary serialization of java.io.PrintStream to the disk

JENKINS-51602

discovered by code inspection, not confirmed

Arachni Scanner

XStreamUnnecessary serialization of the org.slf4j.impl.JDK14LoggerAdapter class

JENKINS-51623

Fixed in 0.9.7 (2.121.x is a minimal required baseline)
GitLabXStreamSerialization of non-whitelisted classes from the GitLab API libraryJENKINS-51691confirmed
HTTP RequestRemotingSerialization of a non-whitelisted org.apache.http.HttpHost class when HTTP Proxy is configured in the pluginJENKINS-51741confirmed

DeployHub

XStreamSerialization of blacklisted JSONObject classesJENKINS-51909Fixed in 8.0.13.
HPE Application Automation Tools (aka Micro Focus Application Automation Tools)XStreamSerialization of non-whitelisted classes from a third-party library

JENKINS-52366

Fixed in 5.4.2-beta  
Kubernetes :: Pipeline :: Kubernetes StepsRemotingSerialization of non-whitelisted classes from a third-party libraryJENKINS-49506worked around in core 2.102; plugin patch merged but unreleased
PIT MutationXStreamSerialization of non-whitelisted classes from a third-party library

JENKINS-52420

confirmed
LogstashXStreamSerialization of non-whitelisted Charset classes to the disk when RabbitMQ is configured as a logging destination

JENKINS-52712

confirmed

Official OWASP ZAP

XStreamSerialization of org.apache.tools.ant.Location, which is not whitelisted in Jenkins 2.107.1

JENKINS-52345

Fixed in Jenkins 2.107.2
Quay.io Trigger PluginXStreamSerialization of JSONObject classes.JENKINS-54406


Parameterized Remote Trigger PluginXStream
JENKINS-56770
CheckmarxRemoting
JENKINS-57796

Other 3rd-party plugins

This section tracks reports to plugins, which are not available in official Jenkins update centers. For these plugins Jenkins JEP-200 do NOT commit to investigate/fix defects (especially for closed-source plugins).

Plugin name

Serialization type

Behaviour

Issue / pull request

Status

CA Release AutomationXStreamSerialization of JSONObject classes.JENKINS-49431Vendor notified
Nexus Jenkins PluginXStreamSerialization of non-whitelisted Server Configuration class in "Insight Link"JENKINS-50257

Vendor notified

Workaround: Use open-source Nexus Platform Plugin instead

StormRunnerPluginXStreamUnnecessary serialization of java.io.PrintStream to the disk.JENKINS-50594Workaround: Whitelist java.io.PrintStream (not recommended)
Shiro PluginXStreamSerialization of Run actions with non-whitelisted 3rd-party classesJENKINS-50781Developer notified

Other affected components/configurations

In addition to Jenkins plugin, some other components have been affected by JEP-200.

Component/ConfigurationBehaviourIssue(s)Status/mitigation
Jenkins running in Apache Tomcat web containerJenkins 2.102 and later could fail to start or run properly when loaded inside certain containers, including old versions of Tomcat.

JENKINS-49543, JENKINS-49147

Fixed in 2.107.1/2.108

Workaround: Use the latest Apache Tomcat server (8.0.50 or above)

Jenkins CoreDerialization of exceptions with non-whitelisted fields may cause errors. Jenkins core is affected by that, because its FilePath#list(String includes, String excludes, boolean defaultExcludes) method may throw such kind of exception if the specified includes/excludes patters are invalid or if the target directory does not exist. It may cause regressions in plugins like Pipeline Utility Steps which use the API.JENKINS-50237

Fixed in 2.113 and 2.107.2

The fix applies a patch for a particular JENKINS-50237 issue. In order to be protected from the entire class of issues, Remoting needs to be upgraded to 3.19 on all agents