Reply to post: Advisory exhaustion

Jenkins warns of security holes in these 25 plugins

Anonymous Coward
Anonymous Coward

Advisory exhaustion

These "Jenkins Security Advisories" come out a couple of times a month, on average. I subscribe to the feed and do a short write-up for our "Jenkins interest" Teams channel in the hope that at least some of the many, many people administering many, many Jenkins instances in our organization pay attention. (Some groups have proper Operations teams running it, but often it's left up to random developers.)

Doing a write-up is useful because the format of the advisories is terrible. Severities are listed separately from the problem descriptions, for example.

Unfortunately, I suspect that without dedicated staff, there are just too many of these and people get tired of trying to install what fixes are available, or culling plugins they have no real need for.

And that's a problem, because Jenkins is not only a huge attack surface, but a particularly tempting one, since it's building software. And often developers have access to it, and developers are often among the worst users for security – running all sorts of things with excess privilege, downloading and running code and binaries of uncertain provenance, and so forth. An attacker compromising a developer's laptop and then pivoting through Jenkins to add malware to in-house or product software is an obvious and plausible tactic.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon