This advisory announces a vulnerability in Jenkins.
Updated 2017-09-28: Clarified which options are disabled by default. Clarified that it affects only instances that originally installed 2.80.
JENKINS-47139
Jenkins 2.80 did not correctly initialize the setup wizard on the first startup. This resulted in the following security settings not being set to the usual strict default:
No security realm was defined, and no admin
user was created whose password was written to the Jenkins log or the initialAdminPassword
file.
The authorization strategy remained Anyone can do anything rather than Logged-in users can do anything.
TCP port for JNLP agents, usually disabled by default, was open, unless a Java system property controlling it was set.
CLI over Remoting was enabled.
CSRF Protection was disabled.
Agent → Master Access Control was disabled.
Affected instances need to be configured to restrict access.
Jenkins instances upgraded from 2.79 or earlier to 2.80 without completing the setup wizard will no longer show the setup wizard, but are locked and need the initial administrator password to unlock.
JENKINS-47139: high