Please see for status indicators and high level system status information.
For support, please visit or email

Wednesday 11 November 2015

Outage for Jenkins Security Release 1.609.4.3


Vulnerability public @ November 6th 2015 15:00 (UTC)
Vulnerability closed @ November 6th 2015 22:00 (UTC)
Vulnerability fixed @ November 9th 04:00 (UTC)


  • CLI / OPE connectivity disabled

Root Cause

The CloudBees response to the vulnerability announcement (see advisory) was to close the OPE/CLI TCP ports - and then remove CLI functionality shortly thereafter. This occurred 7 hours after the vulnerability was made public.

On November 8th, a patch was released to close the vulnerability in the Jenkins server, and we progressively rolled this patch out, and re-activated the OPE/CLI functionality on all Jenkins services.

Data Loss / Security Implications

Indications are

  1. there was no increase in traffic to the Jenkins servers we checked for breaches
  2. access to the CLI ports was closed 7 hours after the initial announcement
  3. the exploit as written doesn't work due to the network configuration of DEV@cloud
  4. the exploit is based off a commons-collections vulnerability announced early in 2015 - so there may have been unannounced vulnerabilities floating around the internet
Customers need to perform a risk assessment to determine whether they need to reissue credentials in their environment.


Our status notes are ephemeral - the overall outage notice was written and posted once the release had been completed.

Full information on the security vulnerability is available in