Jenkins Security Advisory 2023-02-09

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Jenkins Docker images

Descriptions

Git releases with critical vulnerabilities on Jenkins Docker images

SECURITY-3039 / CVE-2022-23521 and CVE-2022-41903
Severity (CVSS): Critical
Description:

The Jenkins project provides Docker images for both controllers and agents. Most of these Docker images include the git command line tool to interact with Git repositories.

Git releases published before 2023-01-17 are affected by the vulnerabilities CVE-2022-23521 and CVE-2022-41903. In the context of Jenkins, the former vulnerability could be exploited through crafted repository contents, allowing an attacker with commit access to a Git repository cloned on a Jenkins controller or agent to achieve remote code execution.

Building software is the primary use case for Jenkins. To accomplish that, Jenkins invokes build scripts containing user-specified code, usually retrieved from an SCM like Git. As a result, this vulnerability only has a real impact in very narrow circumstances: when attackers can control repository contents, but are unable to change build steps, Jenkinsfiles, test code that gets executed by Jenkins, or similar.

Affected Jenkins controller and agent images for current releases of Jenkins have been updated to include releases of Git that include fixes for these vulnerabilities.

Administrators can confirm they’re using an up-to-date version of Git on their Jenkins Docker images as follows:

  • Debian-based images (the default, tags include latest, lts, jdk11, etc., as well as all slim images) for both controller (jenkins/jenkins) and agents (jenkins/agent, jenkins/inbound-agent, jenkins/ssh-agent) need Git 2.30.2-1+deb11u1 or newer to be safe. Run the following command to confirm the image is up to date (replacing ${IMAGE} and ${TAG} as needed):
    docker run --rm --entrypoint='' jenkins/${IMAGE}:${TAG} sh -c 'dpkg -l git'

  • Alpine-based images for both controller (jenkins/jenkins) and agents (jenkins/agent, jenkins/inbound-agent, jenkins/ssh-agent) need a version that’s considered fixed in the Git security advisory (e.g., 2.36.4, 2.34.6, 2.32.5). Run the following command to confirm the image is up to date (replacing ${IMAGE} and ${TAG} as needed):
    docker run --rm --entrypoint='' jenkins/${IMAGE}:alpine-${TAG} sh -c 'apk list git 2>/dev/null'

  • AlmaLinux-based images for the controller (jenkins/jenkins) need Git 2.31.1-3 or newer to be safe. Run the following command to confirm the image is up to date (replacing ${TAG} as needed):
    docker run --rm --entrypoint='' jenkins/jenkins:${TAG} sh -c 'rpm -qa git-core'

  • Red Hat-based (UBI and CentOS) images (tags include, e.g., rhel-ubi8-jdk11, rhel-ubi9-jdk17, centos7) for the controller (jenkins/jenkins) need Git 2.31.1-3 or newer to be safe. Run the following command to confirm the image is up to date (replacing ${TAG} as needed):
    docker run --rm --entrypoint='' jenkins/jenkins:${TAG} sh -c 'rpm -qa git'

  • Windows-based images for controller (jenkins/jenkins) do not include Git.

  • Windows-based images for agents (jenkins/agent, jenkins/inbound-agent, jenkins/ssh-agent) need a version that’s considered fixed in the Git security advisory (e.g., 2.36.4, 2.34.6, 2.32.5). Run the following command inside a container to confirm it is up to date:
    git --version

Severity

Affected Versions

  • Jenkins Docker images up to and including n/a (see above)

Fix

  • Jenkins Docker images should be updated to version n/a (see above)

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.