Jenkins Vulnerability Assesment Discrepancy

Jenkins Vulnerability Assesment Discrepancy

Summary 

At this moment, is not possible for Flexera to maintain an accurate vulnerability assessment of Jenkins 2.x for Windows OS, as the latest Jenkins releases contain bad PE Header version metadata that mismatches the publicly advertised versions by the vendor.

Diagnosis 

Upon a deeper investigation of the executable files included in the latest releases of Jenkins 2.x and their PE header metadata included in the files, it turned out that the vendor has mislabeled their versions for both the LTS and Weekly releases.  

When installed, the LTS version of Jenkins 2.263.3 contains version metadata of 2.9.0.0 instead of its advertised public version number (2.263.3).
When installed, the Weekly version of Jenkins 2.275 contains version metadata of 2.9.0.0 instead of its advertised public version number (2.275).

Conclusion: 

Flexera has added detection capabilities to be able to recognize the Jenkins installation files on Windows OS and flag them as part of SVM scan results. Due to the version metadata problem explained above, we cannot yet add further security assessment capabilities that will enable recognition of whether your version is EOL, Insecure, or Patched. Flexera will continue monitoring Jenkins 2.x releases and would enable assessment capabilities as soon as the vendor supplies installation files that hold the correct metadata versions as advertised.

Until then, the product would simply appear with a “Patched” status,  we do understand this status is potentially incorrect for your version of Jenkins. We are monitoring this closely and once the metadata will be corrected by the vendor, we will further update the rules accordingly.

 

Was this article helpful? Yes No
No ratings
Version history
Revision #:
3 of 3
Last update:
‎Feb 03, 2021 05:52 AM
Updated by:
 
Contributors