Better protection for debug instances in recent Jenkins and Maven HPI Plugin releases
29 views
Skip to first unread message
Daniel Beck
Mar 4, 2020, 3:15:04 AM3/4/20
to Jenkins Dev
Hi everyone,
Starting in Jenkins 2.223, `mvn jetty:run` will only listen on the loopback interface (localhost) by default. Maven HPI Plugin 3.12, used by default from plugin parent POM 3.57 and 4.0-beta-5, does the same for `mvn hpi:run`.
This prevents users on your network from accessing development/debug Jenkins instances. You should update plugins you work on to these releases of Maven HPI Plugin if you work on them on an untrusted network (and don't configure security).
If you want to make Jenkins available to others on your network again, use `-Dhost=0.0.0.0`.
We're aware of ESET endpoint security breaking this, as it prohibits access to `localhost:8080` specifically. Use `127.0.0.1:8080` or set e.g. `-Dport=8081`.
Slightly related, Jenkins 2.222 and newer (and therefore the upcoming LTS baseline as well) will always have CSRF protection enabled, further reducing exposure of debug Jenkins instances that never had their security set up. If you regularly run older Jenkins instances via jetty:run, hudson/jenkins-dev:run, or hpi:run, make sure to set up at least CSRF protection.
Regards,
Daniel
Starting in Jenkins 2.223, `mvn jetty:run` will only listen on the loopback interface (localhost) by default. Maven HPI Plugin 3.12, used by default from plugin parent POM 3.57 and 4.0-beta-5, does the same for `mvn hpi:run`.
This prevents users on your network from accessing development/debug Jenkins instances. You should update plugins you work on to these releases of Maven HPI Plugin if you work on them on an untrusted network (and don't configure security).
If you want to make Jenkins available to others on your network again, use `-Dhost=0.0.0.0`.
We're aware of ESET endpoint security breaking this, as it prohibits access to `localhost:8080` specifically. Use `127.0.0.1:8080` or set e.g. `-Dport=8081`.
Slightly related, Jenkins 2.222 and newer (and therefore the upcoming LTS baseline as well) will always have CSRF protection enabled, further reducing exposure of debug Jenkins instances that never had their security set up. If you regularly run older Jenkins instances via jetty:run, hudson/jenkins-dev:run, or hpi:run, make sure to set up at least CSRF protection.
Regards,
Daniel
Reply all
Reply to author
Forward
0 new messages