About the Spring4Shell vulnerability (CVE-2022-22965)
89 views
Skip to first unread message
Tomonari Katsumata
Apr 5, 2022, 10:20:29 AM4/5/22
to jenkins...@googlegroups.com
Hello
I'm the one who recently started using these JenkinsPlugins.
- generic-webhook-trigger 1.67
- kubernetes 1.19.3
- pipeline-model-definition 1.6.0
- git 4.2.2
- git-client 3.2.1
- scmskip 1.0.1
- openshift-sync 1.0.45
- gitlab-plugin 1.5.13
(I use Jenkins 2.204.2)
This is a question without a good understanding of the contents.
-Is it affected by the spring4shell vulnerability (CVE-2022-22965) while using above plugins?
It seems that no one is asking here, so I don't think there is a problem,
but I would appreciate it if you could answer it just in case.
Best regards,
--
--------------------------------------------
TEL:045-212-7539
FAX:045-212-9800
E-Mail: katsumata...@ntt-tx.co.jp
--------------------------------------------
I'm the one who recently started using these JenkinsPlugins.
- generic-webhook-trigger 1.67
- kubernetes 1.19.3
- pipeline-model-definition 1.6.0
- git 4.2.2
- git-client 3.2.1
- scmskip 1.0.1
- openshift-sync 1.0.45
- gitlab-plugin 1.5.13
(I use Jenkins 2.204.2)
This is a question without a good understanding of the contents.
-Is it affected by the spring4shell vulnerability (CVE-2022-22965) while using above plugins?
It seems that no one is asking here, so I don't think there is a problem,
but I would appreciate it if you could answer it just in case.
Best regards,
--
--------------------------------------------
TEL:045-212-7539
FAX:045-212-9800
E-Mail: katsumata...@ntt-tx.co.jp
--------------------------------------------
Mark Waite
Apr 5, 2022, 10:55:26 AM4/5/22
to Jenkins Users
On Tuesday, April 5, 2022 at 8:20:29 AM UTC-6 Tomonari Katsumata wrote:
Hello
I'm the one who recently started using these JenkinsPlugins.
- generic-webhook-trigger 1.67
- kubernetes 1.19.3
- pipeline-model-definition 1.6.0
- git 4.2.2
- git-client 3.2.1
- scmskip 1.0.1
- openshift-sync 1.0.45
- gitlab-plugin 1.5.13
(I use Jenkins 2.204.2)
No one has analyzed that Jenkins core version or those plugin releases to see if they are vulnerable. No one will analyze those versions.
You may not be affected by Spring4Shell but you are affected by many Jenkins security advisories. See https://www.jenkins.io/security/advisories/ for the Jenkins core security advisories that may apply to that old Jenkins core version.
As a sampling, the security advisories include:
- https://www.jenkins.io/security/advisory/2022-02-09/
- https://www.jenkins.io/security/advisory/2022-01-12/
- https://www.jenkins.io/security/advisory/2021-11-04/
- https://www.jenkins.io/security/advisory/2021-10-06/
- https://www.jenkins.io/security/advisory/2021-06-30/
- https://www.jenkins.io/security/advisory/2021-04-20/
- https://www.jenkins.io/security/advisory/2021-02-19/
I only gathered security advisories for the last year. Your Jenkins version is two years old.
Since you care enough about security to ask about Spring4Shell, you certainly care enough to resolve all those security advisories by upgrading Jenkins core and the Jenkins plugins that you use.
Mark Waite
Reply all
Reply to author
Forward
0 new messages