Jenkins SECURITY-3314/SECURITY-3315 Mitigation

Over the last couple weeks, Ellucian noted that there is a critical security hole found in version of Jenkins that's currently required by ESM. The security hole involves the SSH plugin and the CLI HTTP endpoint as detailed below.

While they did provide the fix for this, the instructions were a bit confusing and did not provide any screenshots.

Thus, here are (hopefully) some clearer steps on how to disable the SSH plugin and CLI HTTP endpoint.

 

Step 1: Login into Jenkins and access Security

  • Login to the ESM Jenkins instance as the admin user
  • Click Manage Jenkins
  • Scroll down and then click Security

Jenkins SSH Disable 1

Step 2: Disable SSH

  • Scroll down to SSH port and click Disable

Jenkins SSH Disable 2

Step 3: Disable CLI HTTP Endpoint

As the jenkins admin user:

  • Click Manage Jenkins
  • Scroll down and then click Script Console

Jenkins SSH Disable 3

  • To disable the CLI, paste contents of the disable-cli.groovy file into the script console.
  • This will disable the CLI. However it will be re-enabled once jenkins is restarted.
  • To permanently disable the CLI, do the following:
  1. SSH to the ESM server as the esmadmin user.
  2. cd /u01/jenkins (or where-ever jenkins is installed on your server)
  3. within the Jenkins directory, create a subdirectory called init.groovy.d  --- all files within this directory are executed when jenkins starts up.
  4. copy the file disable-cli.groovy into the init.groovy,d subdirectory
  5. This file will now be executed each time jenkins starts up.

Jenkins SSH Disable 3

The contents of www.nyquest.com are Copyright © 2020 by Nyquest Consulting, LLC.
Ellucian® and Banner® are registered trademarks of Ellucian® Corporation.
Nyquest is not affiliated in any way with Ellucian® .
All Rights Reserved.