CVE-2015-8103: Critical remotely exploitable security hole in existing TurnKey Jenkins deployments

Thanks to ElColmo it has come to our attention that existing deployments of TurnKey Jenkins are still vulnerable to CVE-2015-8103, a critical issue that allows remote code execution by unauthenticated users.

This issue has been fixed with many others by the Jenkins project, as detailed in the  2015-11-11 Jenkins Security Advisory.

Due to the seriousness of the issue new builds of TurnKey Jenkins have been published today so new deployments are not vulnerable.

Unfortunately pre-existing deployments still need to be updated manually.

Isn't the Jenkins security update installed automatically?

No. To prevent breaking existing deployments TurnKey ONLY auto-installs security updates from the official Debian security repository. Jenkins is not officially supported in Debian so it doesn't get automatic updates.

For more details see the "Limitations" section on the Automatic Security Updates page.

What's the recommended way to handle this?

  1. Back up your Jenkins deployment (e.g., with TKLBAM).

    Updates to the jenkins package may require user supervision and testing which is why Jenkins IS NOT configured to update itself automatically in the first place.

    Everything may work perfectly afterwards, or not. Be prepared.

  2. Upgrade Jenkins through the package management system by following instructions on the GitHub issue page.

  3. Stay alert by subscribing to the Jenkins Security Advisories mailing list.

Many thanks again to ElColmo for bringing this to our attention!

Add new comment