-
Bug
-
Resolution: Unresolved
-
Blocker
-
Jenkins ver. 2.19.3
Mask Passwords Plugin 2.8
We have a global password called JENKINSPASS
We have a global env ANT_OPTS defined, which references it like -Djavax.net.ssl.keyStorePassword=${JENKINSPASS}
For no apparent reason (we didn't upgrade) an unmasked value of the password started to appear in "Enviorment Variables" view. Note JENKINSPASS itself is masked.
ANT_OPTS -Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t JENKINSPASS [*******]
Older builds don't contain an entry for ANT_OPTS at all.
[JENKINS-40017] Passwords are replaced but not masked in global envs
Jakub Bochenski
created issue -
Jakub Bochenski
made changes -
| Description |
Original:
We have a global password called {{JENKINSPASS}} We have a global env {{ANT_OPTS}} defined with references it like {{-Djavax.net.ssl.keyStorePassword=${JENKINSPASS}}} For no apparent reason an unmasked value of the password started to appear in "Enviorment Variables" view. Note {{JENKINSPASS}} itself is not masked. {code} ANT_OPTS -Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t JENKINSPASS [*******] {code} Older builds don't contain an entry for ANT_OPTS at all. |
New:
We have a global password called {{JENKINSPASS}} We have a global env {{ANT_OPTS}} defined with references it like {{-Djavax.net.ssl.keyStorePassword=$\{JENKINSPASS\}}} For no apparent reason an unmasked value of the password started to appear in "Enviorment Variables" view. Note {{JENKINSPASS}} itself is not masked. {code} ANT_OPTS -Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t JENKINSPASS [*******] {code} Older builds don't contain an entry for ANT_OPTS at all. |
Jakub Bochenski
made changes -
| Description |
Original:
We have a global password called {{JENKINSPASS}} We have a global env {{ANT_OPTS}} defined with references it like {{-Djavax.net.ssl.keyStorePassword=$\{JENKINSPASS\}}} For no apparent reason an unmasked value of the password started to appear in "Enviorment Variables" view. Note {{JENKINSPASS}} itself is not masked. {code} ANT_OPTS -Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t JENKINSPASS [*******] {code} Older builds don't contain an entry for ANT_OPTS at all. |
New:
We have a global password called {{JENKINSPASS}} We have a global env {{ANT_OPTS}} defined with references it like {{-Djavax.net.ssl.keyStorePassword=$\{JENKINSPASS\}}} For no apparent reason (we didn't upgrade) an unmasked value of the password started to appear in "Enviorment Variables" view. Note {{JENKINSPASS}} itself is not masked. {code} ANT_OPTS -Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t JENKINSPASS [*******] {code} Older builds don't contain an entry for ANT_OPTS at all. |
Jakub Bochenski
made changes -
| Description |
Original:
We have a global password called {{JENKINSPASS}} We have a global env {{ANT_OPTS}} defined with references it like {{-Djavax.net.ssl.keyStorePassword=$\{JENKINSPASS\}}} For no apparent reason (we didn't upgrade) an unmasked value of the password started to appear in "Enviorment Variables" view. Note {{JENKINSPASS}} itself is not masked. {code} ANT_OPTS -Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t JENKINSPASS [*******] {code} Older builds don't contain an entry for ANT_OPTS at all. |
New:
We have a global password called {{JENKINSPASS}} We have a global env {{ANT_OPTS}} defined, which references it like {{-Djavax.net.ssl.keyStorePassword=$\{JENKINSPASS\}}} For no apparent reason (we didn't upgrade) an unmasked value of the password started to appear in "Enviorment Variables" view. Note {{JENKINSPASS}} itself is not masked. {code} ANT_OPTS -Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t JENKINSPASS [*******] {code} Older builds don't contain an entry for ANT_OPTS at all. |
Jakub Bochenski
made changes -
| Description |
Original:
We have a global password called {{JENKINSPASS}} We have a global env {{ANT_OPTS}} defined, which references it like {{-Djavax.net.ssl.keyStorePassword=$\{JENKINSPASS\}}} For no apparent reason (we didn't upgrade) an unmasked value of the password started to appear in "Enviorment Variables" view. Note {{JENKINSPASS}} itself is not masked. {code} ANT_OPTS -Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t JENKINSPASS [*******] {code} Older builds don't contain an entry for ANT_OPTS at all. |
New:
We have a global password called {{JENKINSPASS}} We have a global env {{ANT_OPTS}} defined, which references it like {{-Djavax.net.ssl.keyStorePassword=$\{JENKINSPASS\}}} For no apparent reason (we didn't upgrade) an unmasked value of the password started to appear in "Enviorment Variables" view. Note {{JENKINSPASS}} itself is masked. {code} ANT_OPTS -Djavax.net.ssl.keyStorePassword=N0wC0mpr0miss3dS3cr3t JENKINSPASS [*******] {code} Older builds don't contain an entry for ANT_OPTS at all. |
Jakub Bochenski
added a comment - It would be nice o get some response here, this keeps happening, compromising all secrets stored on Jenkins
Jakub Bochenski
added a comment - It would be nice o get some response here, this keeps happening, compromising all secrets stored on Jenkins Jakub Bochenski
made changes -
| Labels | New: security |
Jakub Bochenski
added a comment - This also results in unmasked values being sent to logstash when using the logstash-plugin
Jakub Bochenski
added a comment - This also results in unmasked values being sent to logstash when using the logstash-plugin Sorry, I have no capacity to work on this issue soon, the plugin waits for adoption. For Environment Variables you can disable this view via EnvInject plugin settings, there is not so much I can do there without serious plugin rework.
Regarding the LogStash plugin, it needs investigation. IIRC the plugin ignores console annotators.
Last Jenkins upgrade was 6 days before