Re: About the Spring4Shell vulnerability (CVE-2022-22965)

Tue, 05 Apr 2022 07:55:34 -0700 


On Tuesday, April 5, 2022 at 8:20:29 AM UTC-6 Tomonari Katsumata wrote:

> Hello 
>
> I'm the one who recently started using these JenkinsPlugins. 
> - generic-webhook-trigger 1.67 
> - kubernetes 1.19.3 
> - pipeline-model-definition 1.6.0 
> - git 4.2.2 
> - git-client 3.2.1 
> - scmskip 1.0.1 
> - openshift-sync 1.0.45 
> - gitlab-plugin 1.5.13 
> (I use Jenkins 2.204.2) 
>
>
No one has analyzed that Jenkins core version or those plugin releases to 
see if they are vulnerable.  No one will analyze those versions.

You may not be affected by Spring4Shell but you *are* *affected* by *many* 
Jenkins security advisories.  
See https://www.jenkins.io/security/advisories/ for the Jenkins core 
security advisories that may apply to that old Jenkins core version.

As a sampling, the security advisories include:

   - https://www.jenkins.io/security/advisory/2022-02-09/
   - https://www.jenkins.io/security/advisory/2022-01-12/
   - https://www.jenkins.io/security/advisory/2021-11-04/
   - https://www.jenkins.io/security/advisory/2021-10-06/
   - https://www.jenkins.io/security/advisory/2021-06-30/
   - https://www.jenkins.io/security/advisory/2021-04-20/
   - https://www.jenkins.io/security/advisory/2021-02-19/
   
I only gathered security advisories for the last year.  Your Jenkins 
version is two years old.

Since you care enough about security to ask about Spring4Shell, you 
certainly care enough to resolve all those security advisories by upgrading 
Jenkins core and the Jenkins plugins that you use.

Mark Waite

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/61fd52ce-b8f5-4e5b-8f20-1ba83b701bb0n%40googlegroups.com.

Reply via email to