1334721 - Outdated Jenkins Ver 1.595 Instance Situated on - http://qa.stage.mozaws.net:8080/

Status: RESOLVED FIXED

(Websites :: Other, defect)

Description

[Griffin Francis]

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce:

Situated at - http://qa.stage.mozaws.net:8080/ (WHOIS Information Indicates that this is a Mozilla owned domain)

Jenkins version 1.595 was released on 2014/12/21. Since then Multiple Remote Code Execution Vulnerabilities have been released for this platform. I believe that this Jenkins instance may have been forgotten about by Mozilla as other instances are running the latest version.

Registration on this Instance also appears to be enabled by default.


Actual results:

Jenkins Instance is outdated and may be vulnerable to Remote Code Execution vulnerabilities.


Expected results:

This instance should either be decommissioned or updated to the latest version.

Comment 1

[Griffin Francis]

Thanks for the triage on this report Greg. Much appreciated.

Comment 2

[Jonathan Claudius [:claudijd] (use NEEDINFO)]

It should also be noted that the instance allows sign up (with no perms), not sure why that is, and that it's not requiring HTTPS.  Recommend that we pull it private or follow best practices with this host if it's going to stay public.

Comment 3

[Richard Pappalardo [:rpapa][:rpappalardo]]

this server was setup by QA mgr who is no longer w/ mozilla.  we no longer need this server so I will decomission.

Comment 4

[Richard Pappalardo [:rpapa][:rpappalardo]]

i've decommissioned the host

Comment 5

[Griffin Francis]

Confirmed as fixed. Thanks for the quick turn around time on this report like usual.