CloudBees: Serving Up a More Secure Jenkins

The ethos of the Jenkins project is aptly represented by its famous butler mascot: a server that is always running in order to serve your needs, ready to automate the mundane tasks of building, testing and deploying your software amongst a number of other similarly menial chores. However, as anyone that has watched Downton Abbey will know, whilst the butler may be the dignified face of the operation, behind the scenes there is an army of servants tasked with navigating the proverbial battlefield and doing the work that really matters; this is where CloudBees comes in.

For nearly a decade, CloudBees has invested heavily in the Jenkins open source community project, committed to maintaining a smooth operation and ensuring the project performs at its optimal level. Within this, the most serious task we undertake is security. In order to ensure the robustness of the Jenkins Server against any vulnerabilities CloudBees employs a security officer to monitor the server, working in tandem with CloudBees engineering to detect and fix potential flaws in its system. However, such a task requires constant attention, and we are fortunate that within the Jenkins community there is a large number of contributors, users and partners that also actively investigate potential exploits in not only the Jenkins Server itself, but all the dependent libraries that are used to create the server.

So, last summer, when CyberArk researchers found two security vulnerabilities in the Jenkins Server (CVE-2018-1999001 and CVE-2018-1999043) they contacted the Jenkins Security Officer and our engineering department got to work. The team validated the vulnerabilities, assessed, rectified and tested them, then updated our continuous integration/continuous delivery pipelines for community and product releases. As is custom, when a security vulnerability is found it is usually kept secret to prevent the weakness from being exploited. However, having already addressed the issues last summer, we want to again share our findings with the wider Jenkins community and our own CloudBees customers so that any users that have not yet applied the patches will be reminded to do so: CloudBees Security Advisory 2018-07-18  and CloudBees Security Advisory 2018-08-15.

At CloudBees, we pride ourselves on making Jenkins, our figurehead at the front of the house, look good. But this task is made even more rewarding when we are aided by the wider Jenkins community and our friends at companies like CyberArk. Thank You.

Rob Davies
Vice President, Engineering
CloudBees