Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47736

JEP-200: Switch Remoting/XStream blacklist to a whitelist

    Details

    • Epic Name:
      JEP-200: Switch Remoting/XStream blacklist to a whitelist
    • Similar Issues:

      Description

      Currently Remoting and XStream2 share a blacklist of classes thought to be dangerous to deserialize, due to historically reported remote code execution attacks. We should instead switch to a whitelist, plus some categorical exemptions.

        Attachments

          Issue Links

            Activity

            jglick Jesse Glick created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Status Open [ 1 ] In Progress [ 3 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "remoting PR 208 (Web Link)" [ 17952 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "jenkins-test-harness PR 81 (Web Link)" [ 17953 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "core PR 3120 (Web Link)" [ 17954 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "dockerhub-notification PR 16 (Web Link)" [ 17955 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "Draft JEP (Web Link)" [ 17956 ]
            jglick Jesse Glick made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "Draft JEP (Web Link)" [ 17956 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "JEP 200 (Web Link)" [ 17981 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "JEP 200 (Web Link)" [ 17981 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "JEP 200 (Web Link)" [ 18104 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "cloudbees-folder PR 116 (Web Link)" [ 18228 ]
            jamesdumay James Dumay made changes -
            Remote Link This issue links to "CloudBees Internal OSS-2508 (Web Link)" [ 18268 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "credentials PR 96 (Web Link)" [ 18295 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "parameterized-trigger PR 118 (Web Link)" [ 18296 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "workflow-cps PR 190 (Web Link)" [ 18297 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "pipeline-build-step PR 17 (Web Link)" [ 18298 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "copyartifact PR 97 (Web Link)" [ 19279 ]
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-47158 [ JENKINS-47158 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "workflow-support PR 50 (Web Link)" [ 19532 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "git-client PR 290 (Web Link)" [ 19533 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "job-dsl PR 1092 (Web Link)" [ 19534 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "lib-jenkins-maven-embedder PR 15 (Web Link)" [ 19535 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue relates to JENKINS-48734 [ JENKINS-48734 ]
            oleg_nenashev Oleg Nenashev made changes -
            Issue Type New Feature [ 2 ] Epic [ 10001 ]
            oleg_nenashev Oleg Nenashev made changes -
            Summary Switch Remoting/XStream blacklist to a whitelist JEP-200: Switch Remoting/XStream blacklist to a whitelist
            Labels classloader remoting security xstream classloader jep-200 remoting security xstream
            Epic Name JEP-200: Switch Remoting/XStream blacklist to a whitelist
            oleg_nenashev Oleg Nenashev made changes -
            Epic Child INFRA-1461 [ 187594 ]
            oleg_nenashev Oleg Nenashev made changes -
            Remote Link This issue links to "Wiki Page with the list of affected plugins (Web Link)" [ 19727 ]
            oleg_nenashev Oleg Nenashev made changes -
            Epic Child JENKINS-48814 [ 187595 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "xtrigger-lib PR 9 (Web Link)" [ 19750 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "monitoring PR 6 (Web Link)" [ 19764 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "ruby-runtime PR 5 (Web Link)" [ 19769 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "priority-sorter PR 42 (Web Link)" [ 19770 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "project-description-setter PR 2 (Web Link)" [ 19771 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "publish-over PR 8 (Web Link)" [ 19773 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "dependency-check PR 20 (Web Link)" [ 19776 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "saltstack PR 116 (Web Link)" [ 19778 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "nexus-platform PR 16 (Web Link)" [ 19781 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "kubernetes-pipeline PR 66 (Web Link)" [ 19782 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "crx-content-package-deployer PR 8 (Web Link)" [ 19783 ]
            jglick Jesse Glick made changes -
            Status In Review [ 10005 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            rvangoethem Remi Van Goethem made changes -
            Epic Child JENKINS-48932 [ 187737 ]
            ttux Marc des Garets made changes -
            Link This issue is related to JENKINS-48963 [ JENKINS-48963 ]
            npfistner Norbert Pfistner made changes -
            Link This issue relates to JENKINS-48965 [ JENKINS-48965 ]
            rvangoethem Remi Van Goethem made changes -
            Epic Child JENKINS-48984 [ 187800 ]
            ntones Nicholas Tones made changes -
            Epic Child JENKINS-48991 [ 187807 ]
            walterngti Walter den Besten made changes -
            Epic Child JENKINS-49016 [ 187835 ]
            walterngti Walter den Besten made changes -
            Link This issue is related to JENKINS-49016 [ JENKINS-49016 ]
            jglick Jesse Glick made changes -
            Epic Child JENKINS-48984 [ 187800 ]
            jglick Jesse Glick made changes -
            Labels classloader jep-200 remoting security xstream JEP-200 classloader remoting security xstream
            tomfanning Tom Fanning made changes -
            Epic Child JENKINS-49025 [ 187845 ]
            tomfanning Tom Fanning made changes -
            Link This issue is related to JENKINS-49025 [ JENKINS-49025 ]
            tomfanning Tom Fanning made changes -
            Link This issue relates to JENKINS-49025 [ JENKINS-49025 ]
            tomfanning Tom Fanning made changes -
            Link This issue is related to JENKINS-49025 [ JENKINS-49025 ]
            pjaytycy Pieter-Jan Busschaert made changes -
            Epic Child JENKINS-49070 [ 187896 ]
            marco_rothe Marco Rothe made changes -
            Epic Child JENKINS-49089 [ 187922 ]
            marco_rothe Marco Rothe made changes -
            Link This issue is related to JENKINS-49085 [ JENKINS-49085 ]
            marco_rothe Marco Rothe made changes -
            Link This issue is related to JENKINS-49085 [ JENKINS-49085 ]
            marco_rothe Marco Rothe made changes -
            Link This issue is related to JENKINS-49089 [ JENKINS-49089 ]
            makj05 Martin Kjellqvist made changes -
            Link This issue relates to JENKINS-49130 [ JENKINS-49130 ]
            ewypych Emil Wypych made changes -
            Link This issue is related to JENKINS-49175 [ JENKINS-49175 ]
            ewypych Emil Wypych made changes -
            Link This issue is related to JENKINS-49176 [ JENKINS-49176 ]
            hcorg Konrad Grochowski made changes -
            Link This issue is related to JENKINS-49237 [ JENKINS-49237 ]
            wesley_b wesley Brown made changes -
            Epic Child JENKINS-49282 [ 188140 ]
            stancorbin Stan Corbin made changes -
            Epic Child JENKINS-49377 [ 188249 ]
            gangeld David Gangel made changes -
            Link This issue is related to JENKINS-49573 [ JENKINS-49573 ]
            reinholdfuereder Reinhold Füreder made changes -
            Link This issue is related to JENKINS-41751 [ JENKINS-41751 ]
            thenazg Chuck Burgess made changes -
            Link This issue relates to JENKINS-49586 [ JENKINS-49586 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue relates to JENKINS-43875 [ JENKINS-43875 ]
            laurent_dufour Laurent Dufour made changes -
            Link This issue is related to JENKINS-49699 [ JENKINS-49699 ]
            becke22 Björn Becker made changes -
            Epic Child JENKINS-49715 [ 188654 ]
            look4parker Michael Parker made changes -
            Epic Child JENKINS-50175 [ 189194 ]
            pinek Piotr Bogdanski made changes -
            Link This issue is blocked by JENKINS-50460 [ JENKINS-50460 ]
            pinek Piotr Bogdanski made changes -
            Link This issue is blocked by JENKINS-50460 [ JENKINS-50460 ]
            pinek Piotr Bogdanski made changes -
            Link This issue is related to JENKINS-50460 [ JENKINS-50460 ]
            ewypych Emil Wypych made changes -
            Link This issue is related to JENKINS-50566 [ JENKINS-50566 ]
            angelliang angel liang made changes -
            Link This issue is blocking SECURITY-800 [ SECURITY-800 ]
            angelliang angel liang made changes -
            Epic Child JENKINS-50781 [ 189887 ]
            bernhardb Bernhard Berbuir made changes -
            Link This issue relates to JENKINS-51331 [ JENKINS-51331 ]
            narlaswathi Narla Swathi made changes -
            Epic Child JENKINS-51634 [ 191047 ]
            exidon Ricardo Amendolia made changes -
            Epic Child JENKINS-51691 [ 191130 ]
            sakshisood sakshi sood made changes -
            Link This issue is blocked by JENKINS-53456 [ JENKINS-53456 ]
            sakshisood sakshi sood made changes -
            Epic Child JENKINS-53613 [ 194097 ]
            jglick Jesse Glick made changes -
            Link This issue is blocked by JENKINS-53456 [ JENKINS-53456 ]
            sakshisood sakshi sood made changes -
            Link This issue is blocked by JENKINS-53613 [ JENKINS-53613 ]
            sakshisood sakshi sood made changes -
            Link This issue is blocked by JENKINS-53638 [ JENKINS-53638 ]
            akom Alexander Komarov made changes -
            Link This issue relates to JENKINS-57796 [ JENKINS-57796 ]
            jasongross Jason Gross made changes -
            Epic Child JENKINS-62571 [ 206594 ]

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: