Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47736

JEP-200: Switch Remoting/XStream blacklist to a whitelist

    XMLWordPrintable

Details

    • JEP-200: Switch Remoting/XStream blacklist to a whitelist

    Description

      Currently Remoting and XStream2 share a blacklist of classes thought to be dangerous to deserialize, due to historically reported remote code execution attacks. We should instead switch to a whitelist, plus some categorical exemptions.

      Attachments

        Issue Links

          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-53613 Plugin affected by JEP-200

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-53638 Maven Plugin Affected by JEP-200

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          is related to

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49237 CPPNCSS Plugin fails with "WARNING: java.util.Calendar in JRE might be dangerous,"

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-48963 UnsupportedOperationException: Refusing to marshal com.sonymobile.tools.gerrit.gerritevents.watchdog.WatchTimeExceptionData for security reasons

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49089 UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-41751 Groovy PowerAssertions don't show a useful message when being CPS transformed

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49016 Android-lint plugin affected by JEP in 2.102

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49176 SimpleDateFormat is not whitelisted - JEP-200

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49573 Matrix Configuration Parameter Plugin is affected by JEP-200

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-50566 Google Compute Engine Plugin JEP-200 Class rejected

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-50460 Builds marked as failed - Dr Memory plugin (JEP-200)

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49175 Job DSL Plugin violates whitelist

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49699 Doktor plugin affected by JEP-200

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. JENKINS-48734 JEP-200 - Make PCT usable for testing plugin compatibility with unreleased Jenkins Cores

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. JENKINS-43875 Cleanup following SECURITY-429

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-57796 Checkmarx affected by JEP-200

          • Critical - Crashes, loss of data, severe memory leak.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49025 SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49130 Sonar Quality Gates run fails after upgrade to Jenkins 2.102/2.103

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-48965 Refusing to marshal java.util.Collections$SynchronizedRandomAccessList for security reasons

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-49586 JDepend plugin classes not in JEP-200 whitelist

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-51331 AuditTrail plugin incompatible with JEP-200

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-47158 Warnings about workflow/*-parallel-synthetic.xml serializing WorkflowRun objects

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link CloudBees Internal OSS-2508

          Web Link cloudbees-folder PR 116

          Web Link copyartifact PR 97

          Web Link core PR 3120

          Web Link credentials PR 96

          Web Link crx-content-package-deployer PR 8

          Web Link dependency-check PR 20

          Web Link dockerhub-notification PR 16

          Web Link git-client PR 290

          Web Link jenkins-test-harness PR 81

          Web Link JEP 200

          Web Link job-dsl PR 1092

          Web Link kubernetes-pipeline PR 66

          Web Link lib-jenkins-maven-embedder PR 15

          Web Link monitoring PR 6

          Web Link nexus-platform PR 16

          Web Link parameterized-trigger PR 118

          Web Link pipeline-build-step PR 17

          Web Link priority-sorter PR 42

          Web Link project-description-setter PR 2

          Web Link publish-over PR 8

          Web Link remoting PR 208

          Web Link ruby-runtime PR 5

          Web Link saltstack PR 116

          Web Link Wiki Page with the list of affected plugins

          Web Link workflow-cps PR 190

          Web Link workflow-support PR 50

          Web Link xtrigger-lib PR 9

          Activity

            People

              jglick Jesse Glick
              jglick Jesse Glick
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: