Thank you so much for your efforts Stamatis, Zoltan! I'm more than happy to see people taking care of infra problems!
Regards, Laszlo Bodor Stamatis Zampetakis <zabe...@apache.org> ezt írta (időpont: 2024. júl. 15., H, 13:44): > Hi all, > > Recently we have received reports that our Jenkins server running at > ci.hive.apache.org was affected by CVE-2024-23897 [1]. The > vulnerability was addressed by upgrading Jenkins to the latest version > as part of HIVE-28339 [2,3]. > > Given the nature of the vulnerability, I reviewed the Jenkins instance > for sensitive information that could have been exposed and found some > potential credential leak. Together with Zoltan Haindrich we went over > the Jenkins credential storage and it turns out that there were no > real user credentials affected. In fact most credentials that were > stored in Jenkins were obsolete thus we removed them completely. > > In CI, we use a special bot user namely asf-ci-hive that is used to > add/remove labels in PRs and there is a risk that their personal > access tokens have been compromised. For that reason, we got in touch > with INFRA and we obtained a new personal access token (INFRA-25949 > [4]) that I set up on Friday, July 12 2024. > > Other information that may have been compromised consists in GitHub > usernames from those users that logged in recently in Jenkins but for > the most part this information is publicly available on GitHub. > > The Jenkins upgrade was also necessary to address various other CVEs > that were not reported explicitly but they affected Jenkins and > various of the plugins installed. To avoid a similar situation in the > future we should ensure that our Jenkins instance remains up to date > at all times. > > Credit: > Thanks to Othmane Friha (n3s7l3), and Dadang Firmansah (Dungs) for > reporting the vulnerability. > > Best, > Stamatis > > [1] https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 > [2] https://issues.apache.org/jira/browse/HIVE-28339 > [3] https://lists.apache.org/thread/4qb3z3yx9ovnxbsr4b02ohz6twlkrlx9 > [4] https://issues.apache.org/jira/browse/INFRA-25949 >
