Please see for status indicators and high level system status information.
For support, please visit or email

Wednesday 25 November 2015

Jenkins Master - Upgrade to Java 8


CloudBees has changed the default configuration for all Jenkins masters to use Java 8 by default.

This modernizes our Java stack and provides a more easily supported environment for our Jenkins engineering team


  /opt/java8/bin/java -version
  java version "1.8.0_60"
  Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
  Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

Activating Java 8

To activate Java 8, restart your Jenkins.

Regressions / Limitations

At this stage there are no known regressions with running on Java 8 - but you should log a support ticket if you experience any issues.

Deactivating Java 7

To revert to Java 7, please log a support ticket requesting the downgrade.

Wednesday 11 November 2015

Outage for Jenkins Security Release 1.609.4.3


Vulnerability public @ November 6th 2015 15:00 (UTC)
Vulnerability closed @ November 6th 2015 22:00 (UTC)
Vulnerability fixed @ November 9th 04:00 (UTC)


  • CLI / OPE connectivity disabled

Root Cause

The CloudBees response to the vulnerability announcement (see advisory) was to close the OPE/CLI TCP ports - and then remove CLI functionality shortly thereafter. This occurred 7 hours after the vulnerability was made public.

On November 8th, a patch was released to close the vulnerability in the Jenkins server, and we progressively rolled this patch out, and re-activated the OPE/CLI functionality on all Jenkins services.

Data Loss / Security Implications

Indications are

  1. there was no increase in traffic to the Jenkins servers we checked for breaches
  2. access to the CLI ports was closed 7 hours after the initial announcement
  3. the exploit as written doesn't work due to the network configuration of DEV@cloud
  4. the exploit is based off a commons-collections vulnerability announced early in 2015 - so there may have been unannounced vulnerabilities floating around the internet
Customers need to perform a risk assessment to determine whether they need to reissue credentials in their environment.


Our status notes are ephemeral - the overall outage notice was written and posted once the release had been completed.

Full information on the security vulnerability is available in

Tuesday 3 November 2015

DEV@cloud global restart - Java 7 update

We will be performing a Java upgrade and global restart of all Jenkins instances in DEV@cloud.


  • patch Java 7 to latest update
  • deploy Java 8 so it can be used on beta customers (in preparation for global rollout)
  • allow individual customers to be switched to Java 8


  • 4th November 7am UTC - 9am UTC


The outage will be momentary for customers as their Jenkins restarts.

Due to how this patch to the environment is applied it is not possible for us to hold off this restart for individual customers.

Our monitoring systems will tell us if your Jenkins has not come back up cleanly, however in the event that you do experience issues, please raise a support request via the normal means.

Post Outage Review

There were a small number of Jenkins servers in our production environment running an older base operating system.  These older instances did not upgrade to our satisfaction - and so we made the decision to terminate these instances and reprovision customer Jenkins on newer and faster hardware.

While this was not ideal timing, the work was completed largely within the outage window - but not as quickly as we would like.


We are reviewing the way we communicate outages with customers - in this case we did not have sufficient time (for operational scheduling reasons) to communicate this particular upgrade.

We are also reviewing the Jenkins behaviour of displaying a stack-trace to the user rather than something more useful.

There are also changes being made to our hosted Jenkins platform to improve the resilience and stability.