The tale of Jenkins update to Java Jdk21 and Matrix Auth plugin

I passed a long day dealing with Jenkins runtime update (from jdk17 to jdk21), and authorisation plugin (Matrix Auth) stopping to work. Here is the tale.

Involved system:

  • Jenkins dockerized: https://github.com/jenkinsci/docker/blob/master/debian/trixie/hotspot/Dockerfile or maybe the slimmed version
  • https://docs.cloudbees.com/docs/cloudbees-ci-kb/latest/client-and-managed-controllers/after-updating-matrix-project-plugin-jenkins-fails-to-restart
  • Updating from jenkins/jenkins:lts-jdk17 –> to jenkins/jenkins:lts-jdk21

Error log messages was related to hudson, and to matrix, and to authorization:

Caused: jenkins.util.xstream.CriticalXStreamException: 
[LF]> ---- Debugging information ----
[LF]> cause-exception     : com.thoughtworks.xstream.mapper.CannotResolveClassException
[LF]> cause-message       : hudson.security.GlobalMatrixAuthorizationStrategy
[LF]> class               : hudson.model.Hudson
[LF]> required-type       : hudson.model.Hudson
[LF]> converter-type      : hudson.util.RobustReflectionConverter
[LF]> path                : /hudson/authorizationStrategy
[LF]> line number         : 14
[LF]> version             : 2.516.3
[LF]> -------------------------------
	at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:384)
	at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:291)

What happened

The goal was to update jenkins lts to jdk21. My strategy was:

  1. update all possible plugins
  2. restart
  3. Update the image used
  4. Update again all possible plugin

But after 3. I had trouble restarting the image controlled by docker swarm service.

I followed suggestion on https://docs.cloudbees.com/docs/cloudbees-ci-kb/latest/client-and-managed-controllers/after-updating-matrix-project-plugin-jenkins-fails-to-restart, downloaded latest version from https://plugins.jenkins.io/matrix-project/releases/

Even tried to launch the command: jenkins-plugin-cli --plugins matrix-project:858.vb_b_eb_9a_7ea_99e

(And yes, I was successful! I ran it in the 30 seconds before the service hung out! …anyway this does not work)

What I did (some time later)

I inspected config.xml, disabled security, and commented out all matrix of access:

  <useSecurity>false</useSecurity>
  <!--authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
....
</authorizationStrategy--!>

Copyed the config.xml to config.xml-saved

Everyone can access, but the service finally started

Then I update all upgradable, fixed deprecated, then restarted.

But at the end I chosen to adopt another security model, still using matrix, but using db from redmine.

All in all: what does it do Matrix plugin

https://plugins.jenkins.io/matrix-project

Matrix project gives full control on user permission:

That is a key component for multiuser setup.

Update 29/09/2025

Security, in details

Security assessment: Attacks vs Risks


Gogs plugin 1.0.15
Non-constant time webhook token comparison (no fix available)
Unsafe default behavior and information disclosure in webhook (no fix available)
No fixes for these issues are available. It is recommended that you review the security advisory and apply mitigations if possible, or uninstall this plugin.
docker-build-step 2.12
CSRF vulnerability and missing permission check (no fix available)
No fixes for these issues are available. It is recommended that you review the security advisory and apply mitigations if possible, or uninstall this plugin.
https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-2896
Non-constant time webhook token comparison in Gogs Plugin
SECURITY-2896 / CVE-2023-46657
Severity (CVSS): Low
Affected plugin: gogs-webhook
Description:
Gogs Plugin 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix. Learn why we announce this.

Real attack/risk: A discover of the token can at most launch an unwanted build, but still from the same git repository and branch, so idempotent.

https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-2894
Unsafe default behavior and information disclosure in Gogs Plugin webhook
SECURITY-2894 / CVE-2023-40348 (information disclosure), CVE-2023-40349 (insecure default)
Severity (CVSS): Medium
Affected plugin: gogs-webhook
Description:
Gogs Plugin provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In Gogs Plugin 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified job name.

Additionally, the output of the webhook endpoint includes whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it.

As of publication of this advisory, there is no fix. Learn why we announce this.

Same risk as above.

https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3200
CSRF vulnerability and missing permission check in docker-build-step Plugin
SECURITY-3200 / CVE-2024-2215 (CSRF), CVE-2024-2216 (permission check)
Severity (CVSS): Medium
Affected plugin: docker-build-step
Description:
docker-build-step Plugin 2.11 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test.
This allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL. Additionally, the plugin reconfigures itself using the provided connection test parameters, affecting future build step executions.
Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.

Real risk: “attackers with Overall/Read permission”, must have access to the system, that is protected by Matrix Auth

Conclusion of security assessment

Facing detailed attack vector is of course a good idea, but it has a cost. That cost is not landed by a real gain on security

Related Posts

Sicurezza, password salvate e Google

Sicurezza, password salvate e Google

<p class="wp-block-paragraph">youhavebeenpawned! ( https://haveibeenpwned.com/ )</p> <p class="wp-block-paragraph">Google fortunatamente non sta a guardare, ma non può...