CloudBees Security Advisory 2018-01-04

The information on this page is current as of February 1, 2018.

CloudBees Security Advisory 2018-01-04 is published in regards to CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 - also known as Spectre/Meltdown. This is an atypical security advisory based on an underlying industry security issue - not a security issue with CloudBees Jenkins Solutions, directly. This advisory is being published by the CloudBees Information Security Team with internal reference SECURITY-58.
 

What are Spectre and Meltdown?

Meltdown is a security flaw that could allow malicious programs to bypass the hardware barrier that separates kernel memory from a process’ virtual memory. Spectre potentially allows programs to make secret information accessible. More information can be found here: https://meltdownattack.com/

How does this affect me?

The impact is at the operating system level, on customer systems running CloudBees Jenkins Solutions as well as systems hosted by CloudBees for providing services to its customers.

Next steps?

In order to limit the exposure to this vulnerability, please update your systems with the latest security patches as soon as they are made available. Our recommendation is to keep your CloudBees Jenkins Solutions updated so that you have the latest features and patches.

How does this affect the Jenkins distribution?

Based on our analysis, we do not believe any distributed version of Jenkins, including CloudBees-specific versions and other add-ons/plugins are impacted. This includes downloadable JARs, DEBs, RPMs and Docker containers. Jenkins advisories are published via the Jenkins CERT team at https://jenkins.io/security/.

The impact occurs at the operating system level, including Amazon Machine Images (AMIs), Amazon Marketplace AMIs and VMware OVAs. We will provide new AMIs and OVAs for CloudBees Jenkins Enterprise as soon as they are available. In addition, CloudBees-hosted environments are impacted. This includes the DEV@cloud and CloudBees DevOptics services.

Cloudbees Jenkins Enterprise

For Amazon Web Services users, AWS has a security bulletin covering the vulnerability here: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Updated CloudBees Jenkins Enterprise Amazon AMIs and downloadable OVAs are now available. Additionally, users have the option to install kernel updates in place on running machines, once made available from the OS vendors. Here is an article explaining how to upgrade your OS kernel in place
​​​​​​
This page will be updated with more information as it becomes available. We will maintain the last updated date at the top of the page, so you know when information has been added.

CloudBees Jenkins Platform

Amazon Marketplace AMIs for CloudBees Jenkins Platform and CloudBees Jenkins Operations Center were discontinued in 2017. No updates will be provided for these packages. If you are an impacted user of these AMIs, contact CloudBees support for steps to upgrade your kernel.

For all additional questions, you may contact your Customer Success Manager or open a ticket with CloudBees support.

DEV@cloud

All production and testing hosts have been patched at the host level and OS level.

CloudBees DevOptics

All production virtual hosts have been patched at the host level. Systems hosting infrastructure for CloudBees DevOptics will be updated and restarted on machines as OS vendors release updated kernel versions.

All production virtual hosts have been patched at the host level.  All test and production systems have had operating system patches applied and restarted. We will continue monitoring patch sets provided by our operating system vendors and will apply them as they become available.