Details
-
Type:
Epic
-
Status: Resolved (View Workflow)
-
Priority:
Critical
-
Resolution: Fixed
-
Component/s: core, jenkins-test-harness, remoting
-
Labels:
-
Epic Name:JEP-200: Switch Remoting/XStream blacklist to a whitelist
-
Similar Issues:
Description
Currently Remoting and XStream2 share a blacklist of classes thought to be dangerous to deserialize, due to historically reported remote code execution attacks. We should instead switch to a whitelist, plus some categorical exemptions.
Attachments
Issue Links
- is blocked by
-
JENKINS-53613 Plugin affected by JEP-200
-
- Open
-
-
JENKINS-53638 Maven Plugin Affected by JEP-200
-
- Open
-
- is related to
-
JENKINS-49699 Doktor plugin affected by JEP-200
-
- Open
-
-
JENKINS-49237 CPPNCSS Plugin fails with "WARNING: java.util.Calendar in JRE might be dangerous,"
-
- Resolved
-
-
JENKINS-48963 UnsupportedOperationException: Refusing to marshal com.sonymobile.tools.gerrit.gerritevents.watchdog.WatchTimeExceptionData for security reasons
-
- Resolved
-
-
JENKINS-49089 UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons
-
- Resolved
-
-
JENKINS-41751 Groovy PowerAssertions don't show a useful message when being CPS transformed
-
- Resolved
-
-
JENKINS-49016 Android-lint plugin affected by JEP in 2.102
-
- Resolved
-
-
JENKINS-49176 SimpleDateFormat is not whitelisted - JEP-200
-
- Resolved
-
-
JENKINS-49573 Matrix Configuration Parameter Plugin is affected by JEP-200
-
- Closed
-
-
JENKINS-50566 Google Compute Engine Plugin JEP-200 Class rejected
-
- Closed
-
-
JENKINS-50460 Builds marked as failed - Dr Memory plugin (JEP-200)
-
- Closed
-
-
JENKINS-49175 Job DSL Plugin violates whitelist
-
- Closed
-
- relates to
-
JENKINS-48734 JEP-200 - Make PCT usable for testing plugin compatibility with unreleased Jenkins Cores
-
- Resolved
-
-
JENKINS-43875 Cleanup following SECURITY-429
-
- Resolved
-
-
JENKINS-57796 Checkmarx affected by JEP-200
-
- Open
-
-
JENKINS-49025 SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator
-
- Resolved
-
-
JENKINS-49130 Sonar Quality Gates run fails after upgrade to Jenkins 2.102/2.103
-
- Resolved
-
-
JENKINS-48965 Refusing to marshal java.util.Collections$SynchronizedRandomAccessList for security reasons
-
- Resolved
-
-
JENKINS-49586 JDepend plugin classes not in JEP-200 whitelist
-
- Resolved
-
-
JENKINS-51331 AuditTrail plugin incompatible with JEP-200
-
- Resolved
-
-
JENKINS-47158 Warnings about workflow/*-parallel-synthetic.xml serializing WorkflowRun objects
-
- Closed
-
- links to
Activity
Field | Original Value | New Value |
---|---|---|
Status | Open [ 1 ] | In Progress [ 3 ] |
Remote Link | This issue links to "remoting PR 208 (Web Link)" [ 17952 ] |
Remote Link | This issue links to "jenkins-test-harness PR 81 (Web Link)" [ 17953 ] |
Remote Link | This issue links to "core PR 3120 (Web Link)" [ 17954 ] |
Remote Link | This issue links to "dockerhub-notification PR 16 (Web Link)" [ 17955 ] |
Remote Link | This issue links to "Draft JEP (Web Link)" [ 17956 ] |
Status | In Progress [ 3 ] | In Review [ 10005 ] |
Remote Link | This issue links to "Draft JEP (Web Link)" [ 17956 ] |
Remote Link | This issue links to "JEP 200 (Web Link)" [ 17981 ] |
Remote Link | This issue links to "JEP 200 (Web Link)" [ 17981 ] |
Remote Link | This issue links to "JEP 200 (Web Link)" [ 18104 ] |
Remote Link | This issue links to "cloudbees-folder PR 116 (Web Link)" [ 18228 ] |
Remote Link | This issue links to "CloudBees Internal OSS-2508 (Web Link)" [ 18268 ] |
Remote Link | This issue links to "credentials PR 96 (Web Link)" [ 18295 ] |
Remote Link | This issue links to "parameterized-trigger PR 118 (Web Link)" [ 18296 ] |
Remote Link | This issue links to "workflow-cps PR 190 (Web Link)" [ 18297 ] |
Remote Link | This issue links to "pipeline-build-step PR 17 (Web Link)" [ 18298 ] |
Remote Link | This issue links to "copyartifact PR 97 (Web Link)" [ 19279 ] |
Link |
This issue relates to |
Remote Link | This issue links to "workflow-support PR 50 (Web Link)" [ 19532 ] |
Remote Link | This issue links to "git-client PR 290 (Web Link)" [ 19533 ] |
Remote Link | This issue links to "job-dsl PR 1092 (Web Link)" [ 19534 ] |
Remote Link | This issue links to "lib-jenkins-maven-embedder PR 15 (Web Link)" [ 19535 ] |
Link |
This issue relates to |
Issue Type | New Feature [ 2 ] | Epic [ 10001 ] |
Epic Name | JEP-200: Switch Remoting/XStream blacklist to a whitelist | |
Labels | classloader remoting security xstream | classloader jep-200 remoting security xstream |
Summary | Switch Remoting/XStream blacklist to a whitelist | JEP-200: Switch Remoting/XStream blacklist to a whitelist |
Epic Child |
|
Remote Link | This issue links to "Wiki Page with the list of affected plugins (Web Link)" [ 19727 ] |
Epic Child |
|
Remote Link | This issue links to "xtrigger-lib PR 9 (Web Link)" [ 19750 ] |
Remote Link | This issue links to "monitoring PR 6 (Web Link)" [ 19764 ] |
Remote Link | This issue links to "ruby-runtime PR 5 (Web Link)" [ 19769 ] |
Remote Link | This issue links to "priority-sorter PR 42 (Web Link)" [ 19770 ] |
Remote Link | This issue links to "project-description-setter PR 2 (Web Link)" [ 19771 ] |
Remote Link | This issue links to "publish-over PR 8 (Web Link)" [ 19773 ] |
Remote Link | This issue links to "dependency-check PR 20 (Web Link)" [ 19776 ] |
Remote Link | This issue links to "saltstack PR 116 (Web Link)" [ 19778 ] |
Remote Link | This issue links to "nexus-platform PR 16 (Web Link)" [ 19781 ] |
Remote Link | This issue links to "kubernetes-pipeline PR 66 (Web Link)" [ 19782 ] |
Remote Link | This issue links to "crx-content-package-deployer PR 8 (Web Link)" [ 19783 ] |
Resolution | Fixed [ 1 ] | |
Status | In Review [ 10005 ] | Resolved [ 5 ] |
Epic Child |
|
Link |
This issue is related to |
Link |
This issue relates to |
Epic Child |
|
Epic Child |
|
Epic Child |
|
Link |
This issue is related to |
Epic Child |
|
Labels | classloader jep-200 remoting security xstream | JEP-200 classloader remoting security xstream |
Epic Child |
|
Link |
This issue is related to |
Link |
This issue relates to |
Link |
This issue is related to |
Epic Child |
|
Epic Child |
|
Link |
This issue is related to |
Link |
This issue is related to |
Link |
This issue is related to |
Link |
This issue relates to |
Link |
This issue is related to |
Link |
This issue is related to |
Link |
This issue is related to |
Epic Child |
|
Epic Child |
|
Link |
This issue is related to |
Link |
This issue is related to |
Link |
This issue relates to |
Link |
This issue relates to |
Link | This issue is related to JENKINS-49699 [ JENKINS-49699 ] |
Epic Child |
|
Epic Child |
|
Link |
This issue is blocked by |
Link |
This issue is blocked by |
Link |
This issue is related to |
Link |
This issue is related to |
Link | This issue is blocking SECURITY-800 [ SECURITY-800 ] |
Epic Child |
|
Link |
This issue relates to |
Epic Child |
|
Epic Child |
|
Link |
This issue is blocked by |
Epic Child | JENKINS-53613 [ 194097 ] |
Link |
This issue is blocked by |
Link | This issue is blocked by JENKINS-53613 [ JENKINS-53613 ] |
Link | This issue is blocked by JENKINS-53638 [ JENKINS-53638 ] |
Link | This issue relates to JENKINS-57796 [ JENKINS-57796 ] |
Epic Child | JENKINS-62571 [ 206594 ] |
I filed a JEP which should be referred to for all details.