Re: Security Vulnerability on my Jenkins Server

[Eric Fetzer]

Thanks, guess we'll have to wait.  It's not based on what we do, it's just
a security scan software.  It's not like anyone can get to it anyway, it's
inside the wall, but it is what it is.  This one will have to become a
POAM.  Do you have any clue when the fix is coming up?  Again, THANKS for
all your help!

On Wed, Feb 10, 2021 at 1:25 PM kuisathaverat 
wrote:

> I’ve re read your first message, you as for “Jenkins CLI over SSH”, there
> you cannot do anything until we replace the ssh-module. The module will
> support those MACs and is not posible to disable them. However, I doubt
> that the Jenkins CLI use those MACs , and you can always use HTTPS.
>
> El El mié, 10 feb 2021 a las 18:28, Eric Fetzer 
> escribió:
>
>> My MACs line says:
>>
>> MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,
>> hmac-ripemd...@openssh.com
>>
>> I believe this is hardened, isn't it?
>>
>> Thanks,
>> Eric
>>
>> On Wed, Feb 10, 2021 at 9:40 AM kuisathaverat 
>> wrote:
>>
>>> hmac-* are Message authentication code algorithms (MACs), so you have to
>>> configure your Message authentication code algorithms (MACs) supported, for
>>> example
>>>
>>> MACs hmac-sha2-256,hmac-sha2-512
>>>
>>> see
>>> https://www.ssh.com/ssh/sshd_config/#common-configuration-changes-for-the-enterprise
>>>
>>> El mié, 10 feb 2021 a las 17:24, Eric Fetzer ()
>>> escribió:
>>>
 Hmmm, I already hardened by that link:
 https://www.ssh.com/ssh/sshd_config

 My /etc/ssh/sshd_config has:

 Ciphers aes128-ctr,aes192-ctr,aes256-ctr

 This is still showing up on my security scan though.  Am I missing
 something?

 Thanks,
 Eric

 On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat 
 wrote:

> There is work in progress to bump the version of the library and
> convert the sshd-module in a plugin to resolve this kind of issues 
> quickly.
> For the moment you can configure your sshd servers on the Agents side to 
> do
> not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.
>
> https://github.com/jenkinsci/sshd-module/pull/37
> https://github.com/jenkinsci/sshd-module/pull/38
>
>
> El mar, 9 feb 2021 a las 17:19, eric@gmail.com (<
> eric.fet...@gmail.com>) escribió:
>
>> I'm sorry, I just saw the last comment on here and, once again, this
>> showed up on our vulnerability report.  I don't get exactly what I need 
>> to
>> do in order to fix this.  Can someone lay it out for me please?  Thanks -
>> Eric
>>
>> On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6
>> kuisat...@gmail.com wrote:
>>
>>> I was wrong you cannot configure the ciphers for the ssh server on
>>> the Java security files. The SSH server on Jenkins uses the
>>> https://github.com/apache/mina-sshd , IIRC the Jenkins
>>> implementation of the ssh server not read the sshd_config files so it is
>>> not posible to configure the ssh server. Apache mina has deprecated and
>>> disable those algorithms on 2.6.0
>>> https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module
>>> and CLI are using 1.7.0
>>> https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42
>>>  and
>>> https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So
>>> I guess both should bump the dependency to remove support for weak
>>> algorithms
>>>
>>>
>>> El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2,
>>> eric@gmail.com escribió:
>>>
 I think I found the solution to this:


 https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/


 On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric@gmail.com
 wrote:

> I'm confused.  It doesn't look like the ciphers the vulnerability
> is citing are allowed in the java.security file on this system.  We're
> getting flagged for:
>
>  hmac-md5
>   hmac-md5-96
>   hmac-sha1-96
>
> Settings are:
>
> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize
> < 1024, \
> EC keySize < 224, 3DES_EDE_CBC, anon, NULL
>
> Am I missing this, not a java security expert by any means...
> Thanks!
> On Monday, August 24, 2020 at 11:09:43 AM UTC-6
> kuisat...@gmail.com wrote:
>
>> Yes, configuring the ciphers accepted by your JDK edit the
>> file lib\security\java.security (the path will vary based on your 
>> Java
>> version)
>>
>> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2,
>> eric@gmail.com escribió:
>>
>>> Hi all!  I'm getting hit by my secuity team for a vulnerability
>>> for the Jenkins CLI via ssh allowing the following weak ciphers:
>>>
>>>   hmac-md5
>>>   hmac-md5-

Re: Security Vulnerability on my Jenkins Server

[kuisathaverat]

I’ve re read your first message, you as for “Jenkins CLI over SSH”, there
you cannot do anything until we replace the ssh-module. The module will
support those MACs and is not posible to disable them. However, I doubt
that the Jenkins CLI use those MACs , and you can always use HTTPS.

El El mié, 10 feb 2021 a las 18:28, Eric Fetzer 
escribió:

> My MACs line says:
>
> MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd...@openssh.com
>
> I believe this is hardened, isn't it?
>
> Thanks,
> Eric
>
> On Wed, Feb 10, 2021 at 9:40 AM kuisathaverat 
> wrote:
>
>> hmac-* are Message authentication code algorithms (MACs), so you have to
>> configure your Message authentication code algorithms (MACs) supported, for
>> example
>>
>> MACs hmac-sha2-256,hmac-sha2-512
>>
>> see
>> https://www.ssh.com/ssh/sshd_config/#common-configuration-changes-for-the-enterprise
>>
>> El mié, 10 feb 2021 a las 17:24, Eric Fetzer ()
>> escribió:
>>
>>> Hmmm, I already hardened by that link:
>>> https://www.ssh.com/ssh/sshd_config
>>>
>>> My /etc/ssh/sshd_config has:
>>>
>>> Ciphers aes128-ctr,aes192-ctr,aes256-ctr
>>>
>>> This is still showing up on my security scan though.  Am I missing
>>> something?
>>>
>>> Thanks,
>>> Eric
>>>
>>> On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat 
>>> wrote:
>>>
 There is work in progress to bump the version of the library and
 convert the sshd-module in a plugin to resolve this kind of issues quickly.
 For the moment you can configure your sshd servers on the Agents side to do
 not allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.

 https://github.com/jenkinsci/sshd-module/pull/37
 https://github.com/jenkinsci/sshd-module/pull/38


 El mar, 9 feb 2021 a las 17:19, eric@gmail.com (<
 eric.fet...@gmail.com>) escribió:

> I'm sorry, I just saw the last comment on here and, once again, this
> showed up on our vulnerability report.  I don't get exactly what I need to
> do in order to fix this.  Can someone lay it out for me please?  Thanks -
> Eric
>
> On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 kuisat...@gmail.com
> wrote:
>
>> I was wrong you cannot configure the ciphers for the ssh server on
>> the Java security files. The SSH server on Jenkins uses the
>> https://github.com/apache/mina-sshd , IIRC the Jenkins
>> implementation of the ssh server not read the sshd_config files so it is
>> not posible to configure the ssh server. Apache mina has deprecated and
>> disable those algorithms on 2.6.0
>> https://issues.apache.org/jira/browse/SSHD-1004, the sshd-module and
>> CLI are using 1.7.0
>> https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and
>> https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So
>> I guess both should bump the dependency to remove support for weak
>> algorithms
>>
>>
>> El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2,
>> eric@gmail.com escribió:
>>
>>> I think I found the solution to this:
>>>
>>>
>>> https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/
>>>
>>>
>>> On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric@gmail.com
>>> wrote:
>>>
 I'm confused.  It doesn't look like the ciphers the vulnerability
 is citing are allowed in the java.security file on this system.  We're
 getting flagged for:

  hmac-md5
   hmac-md5-96
   hmac-sha1-96

 Settings are:

 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize
 < 1024, \
 EC keySize < 224, 3DES_EDE_CBC, anon, NULL

 Am I missing this, not a java security expert by any means...
 Thanks!
 On Monday, August 24, 2020 at 11:09:43 AM UTC-6 kuisat...@gmail.com
 wrote:

> Yes, configuring the ciphers accepted by your JDK edit the
> file lib\security\java.security (the path will vary based on your Java
> version)
>
> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2,
> eric@gmail.com escribió:
>
>> Hi all!  I'm getting hit by my secuity team for a vulnerability
>> for the Jenkins CLI via ssh allowing the following weak ciphers:
>>
>>   hmac-md5
>>   hmac-md5-96
>>   hmac-sha1-96
>>
>> Is there a way to configure ciphers accepted for the Jenkins CLI?
>>
>> Thanks,
>> Eric
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Jenkins Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> jenkinsci-users+unsubscr.

Re: Security Vulnerability on my Jenkins Server

[Eric Fetzer]

My MACs line says:

MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd...@openssh.com

I believe this is hardened, isn't it?

Thanks,
Eric

On Wed, Feb 10, 2021 at 9:40 AM kuisathaverat 
wrote:

> hmac-* are Message authentication code algorithms (MACs), so you have to
> configure your Message authentication code algorithms (MACs) supported, for
> example
>
> MACs hmac-sha2-256,hmac-sha2-512
>
> see
> https://www.ssh.com/ssh/sshd_config/#common-configuration-changes-for-the-enterprise
>
> El mié, 10 feb 2021 a las 17:24, Eric Fetzer ()
> escribió:
>
>> Hmmm, I already hardened by that link:
>> https://www.ssh.com/ssh/sshd_config
>>
>> My /etc/ssh/sshd_config has:
>>
>> Ciphers aes128-ctr,aes192-ctr,aes256-ctr
>>
>> This is still showing up on my security scan though.  Am I missing
>> something?
>>
>> Thanks,
>> Eric
>>
>> On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat 
>> wrote:
>>
>>> There is work in progress to bump the version of the library and convert
>>> the sshd-module in a plugin to resolve this kind of issues quickly. For the
>>> moment you can configure your sshd servers on the Agents side to do not
>>> allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.
>>>
>>> https://github.com/jenkinsci/sshd-module/pull/37
>>> https://github.com/jenkinsci/sshd-module/pull/38
>>>
>>>
>>> El mar, 9 feb 2021 a las 17:19, eric@gmail.com (<
>>> eric.fet...@gmail.com>) escribió:
>>>
 I'm sorry, I just saw the last comment on here and, once again, this
 showed up on our vulnerability report.  I don't get exactly what I need to
 do in order to fix this.  Can someone lay it out for me please?  Thanks -
 Eric

 On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 kuisat...@gmail.com
 wrote:

> I was wrong you cannot configure the ciphers for the ssh server on the
> Java security files. The SSH server on Jenkins uses the
> https://github.com/apache/mina-sshd , IIRC the Jenkins implementation
> of the ssh server not read the sshd_config files so it is not posible to
> configure the ssh server. Apache mina has deprecated and disable those
> algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004,
> the sshd-module and CLI are using 1.7.0
> https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and
> https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I
> guess both should bump the dependency to remove support for weak 
> algorithms
>
>
> El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2,
> eric@gmail.com escribió:
>
>> I think I found the solution to this:
>>
>>
>> https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/
>>
>>
>> On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric@gmail.com
>> wrote:
>>
>>> I'm confused.  It doesn't look like the ciphers the vulnerability is
>>> citing are allowed in the java.security file on this system.  We're 
>>> getting
>>> flagged for:
>>>
>>>  hmac-md5
>>>   hmac-md5-96
>>>   hmac-sha1-96
>>>
>>> Settings are:
>>>
>>> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize <
>>> 1024, \
>>> EC keySize < 224, 3DES_EDE_CBC, anon, NULL
>>>
>>> Am I missing this, not a java security expert by any means...
>>> Thanks!
>>> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 kuisat...@gmail.com
>>> wrote:
>>>
 Yes, configuring the ciphers accepted by your JDK edit the
 file lib\security\java.security (the path will vary based on your Java
 version)

 El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2,
 eric@gmail.com escribió:

> Hi all!  I'm getting hit by my secuity team for a vulnerability
> for the Jenkins CLI via ssh allowing the following weak ciphers:
>
>   hmac-md5
>   hmac-md5-96
>   hmac-sha1-96
>
> Is there a way to configure ciphers accepted for the Jenkins CLI?
>
> Thanks,
> Eric
>
 --
 You received this message because you are subscribed to a topic in the
 Google Groups "Jenkins Users" group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe
 .
 To unsubscribe from this group and all its topics, send an email to
 jenkinsci-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com
 
 .

>>>
>>>
>>> --
>>> Un Saludo
>>> Iván Fernández Calvo
>>> https://www.linkedin.com/in/iv%C3%A1n-fern%C3%A1ndez-calvo-21425033
>>>
>>> --
>>> Y

Re: Security Vulnerability on my Jenkins Server

[kuisathaverat]

hmac-* are Message authentication code algorithms (MACs), so you have to
configure your Message authentication code algorithms (MACs) supported, for
example

MACs hmac-sha2-256,hmac-sha2-512

see
https://www.ssh.com/ssh/sshd_config/#common-configuration-changes-for-the-enterprise

El mié, 10 feb 2021 a las 17:24, Eric Fetzer ()
escribió:

> Hmmm, I already hardened by that link:
> https://www.ssh.com/ssh/sshd_config
>
> My /etc/ssh/sshd_config has:
>
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr
>
> This is still showing up on my security scan though.  Am I missing
> something?
>
> Thanks,
> Eric
>
> On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat 
> wrote:
>
>> There is work in progress to bump the version of the library and convert
>> the sshd-module in a plugin to resolve this kind of issues quickly. For the
>> moment you can configure your sshd servers on the Agents side to do not
>> allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.
>>
>> https://github.com/jenkinsci/sshd-module/pull/37
>> https://github.com/jenkinsci/sshd-module/pull/38
>>
>>
>> El mar, 9 feb 2021 a las 17:19, eric@gmail.com (<
>> eric.fet...@gmail.com>) escribió:
>>
>>> I'm sorry, I just saw the last comment on here and, once again, this
>>> showed up on our vulnerability report.  I don't get exactly what I need to
>>> do in order to fix this.  Can someone lay it out for me please?  Thanks -
>>> Eric
>>>
>>> On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 kuisat...@gmail.com
>>> wrote:
>>>
 I was wrong you cannot configure the ciphers for the ssh server on the
 Java security files. The SSH server on Jenkins uses the
 https://github.com/apache/mina-sshd , IIRC the Jenkins implementation
 of the ssh server not read the sshd_config files so it is not posible to
 configure the ssh server. Apache mina has deprecated and disable those
 algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004,
 the sshd-module and CLI are using 1.7.0
 https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and
 https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I
 guess both should bump the dependency to remove support for weak algorithms


 El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2,
 eric@gmail.com escribió:

> I think I found the solution to this:
>
>
> https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/
>
>
> On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric@gmail.com
> wrote:
>
>> I'm confused.  It doesn't look like the ciphers the vulnerability is
>> citing are allowed in the java.security file on this system.  We're 
>> getting
>> flagged for:
>>
>>  hmac-md5
>>   hmac-md5-96
>>   hmac-sha1-96
>>
>> Settings are:
>>
>> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize <
>> 1024, \
>> EC keySize < 224, 3DES_EDE_CBC, anon, NULL
>>
>> Am I missing this, not a java security expert by any means...  Thanks!
>> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 kuisat...@gmail.com
>> wrote:
>>
>>> Yes, configuring the ciphers accepted by your JDK edit the
>>> file lib\security\java.security (the path will vary based on your Java
>>> version)
>>>
>>> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2,
>>> eric@gmail.com escribió:
>>>
 Hi all!  I'm getting hit by my secuity team for a vulnerability for
 the Jenkins CLI via ssh allowing the following weak ciphers:

   hmac-md5
   hmac-md5-96
   hmac-sha1-96

 Is there a way to configure ciphers accepted for the Jenkins CLI?

 Thanks,
 Eric

>>> --
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "Jenkins Users" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe
>>> .
>>> To unsubscribe from this group and all its topics, send an email to
>>> jenkinsci-users+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com
>>> 
>>> .
>>>
>>
>>
>> --
>> Un Saludo
>> Iván Fernández Calvo
>> https://www.linkedin.com/in/iv%C3%A1n-fern%C3%A1ndez-calvo-21425033
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Jenkins Users" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> jenkinsci-users+unsubscr...@googlegroups.com.
>> To

Re: Security Vulnerability on my Jenkins Server

[Eric Fetzer]

Hmmm, I already hardened by that link:  https://www.ssh.com/ssh/sshd_config

My /etc/ssh/sshd_config has:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

This is still showing up on my security scan though.  Am I missing
something?

Thanks,
Eric

On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat 
wrote:

> There is work in progress to bump the version of the library and convert
> the sshd-module in a plugin to resolve this kind of issues quickly. For the
> moment you can configure your sshd servers on the Agents side to do not
> allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.
>
> https://github.com/jenkinsci/sshd-module/pull/37
> https://github.com/jenkinsci/sshd-module/pull/38
>
>
> El mar, 9 feb 2021 a las 17:19, eric@gmail.com ()
> escribió:
>
>> I'm sorry, I just saw the last comment on here and, once again, this
>> showed up on our vulnerability report.  I don't get exactly what I need to
>> do in order to fix this.  Can someone lay it out for me please?  Thanks -
>> Eric
>>
>> On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 kuisat...@gmail.com
>> wrote:
>>
>>> I was wrong you cannot configure the ciphers for the ssh server on the
>>> Java security files. The SSH server on Jenkins uses the
>>> https://github.com/apache/mina-sshd , IIRC the Jenkins implementation
>>> of the ssh server not read the sshd_config files so it is not posible to
>>> configure the ssh server. Apache mina has deprecated and disable those
>>> algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004,
>>> the sshd-module and CLI are using 1.7.0
>>> https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and
>>> https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I
>>> guess both should bump the dependency to remove support for weak algorithms
>>>
>>>
>>> El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2,
>>> eric@gmail.com escribió:
>>>
 I think I found the solution to this:


 https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/


 On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric@gmail.com
 wrote:

> I'm confused.  It doesn't look like the ciphers the vulnerability is
> citing are allowed in the java.security file on this system.  We're 
> getting
> flagged for:
>
>  hmac-md5
>   hmac-md5-96
>   hmac-sha1-96
>
> Settings are:
>
> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize <
> 1024, \
> EC keySize < 224, 3DES_EDE_CBC, anon, NULL
>
> Am I missing this, not a java security expert by any means...  Thanks!
> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 kuisat...@gmail.com
> wrote:
>
>> Yes, configuring the ciphers accepted by your JDK edit the
>> file lib\security\java.security (the path will vary based on your Java
>> version)
>>
>> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2,
>> eric@gmail.com escribió:
>>
>>> Hi all!  I'm getting hit by my secuity team for a vulnerability for
>>> the Jenkins CLI via ssh allowing the following weak ciphers:
>>>
>>>   hmac-md5
>>>   hmac-md5-96
>>>   hmac-sha1-96
>>>
>>> Is there a way to configure ciphers accepted for the Jenkins CLI?
>>>
>>> Thanks,
>>> Eric
>>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Jenkins Users" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> jenkinsci-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com
>> 
>> .
>>
>
>
> --
> Un Saludo
> Iván Fernández Calvo
> https://www.linkedin.com/in/iv%C3%A1n-fern%C3%A1ndez-calvo-21425033
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Jenkins Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> jenkinsci-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an

Re: Security Vulnerability on my Jenkins Server

[kuisathaverat]

There is work in progress to bump the version of the library and convert
the sshd-module in a plugin to resolve this kind of issues quickly. For the
moment you can configure your sshd servers on the Agents side to do not
allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.

https://github.com/jenkinsci/sshd-module/pull/37
https://github.com/jenkinsci/sshd-module/pull/38


El mar, 9 feb 2021 a las 17:19, eric@gmail.com ()
escribió:

> I'm sorry, I just saw the last comment on here and, once again, this
> showed up on our vulnerability report.  I don't get exactly what I need to
> do in order to fix this.  Can someone lay it out for me please?  Thanks -
> Eric
>
> On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 kuisat...@gmail.com
> wrote:
>
>> I was wrong you cannot configure the ciphers for the ssh server on the
>> Java security files. The SSH server on Jenkins uses the
>> https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of
>> the ssh server not read the sshd_config files so it is not posible to
>> configure the ssh server. Apache mina has deprecated and disable those
>> algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the
>> sshd-module and CLI are using 1.7.0
>> https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and
>> https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I
>> guess both should bump the dependency to remove support for weak algorithms
>>
>>
>> El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2,
>> eric@gmail.com escribió:
>>
>>> I think I found the solution to this:
>>>
>>>
>>> https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/
>>>
>>>
>>> On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric@gmail.com
>>> wrote:
>>>
 I'm confused.  It doesn't look like the ciphers the vulnerability is
 citing are allowed in the java.security file on this system.  We're getting
 flagged for:

  hmac-md5
   hmac-md5-96
   hmac-sha1-96

 Settings are:

 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize <
 1024, \
 EC keySize < 224, 3DES_EDE_CBC, anon, NULL

 Am I missing this, not a java security expert by any means...  Thanks!
 On Monday, August 24, 2020 at 11:09:43 AM UTC-6 kuisat...@gmail.com
 wrote:

> Yes, configuring the ciphers accepted by your JDK edit the
> file lib\security\java.security (the path will vary based on your Java
> version)
>
> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2,
> eric@gmail.com escribió:
>
>> Hi all!  I'm getting hit by my secuity team for a vulnerability for
>> the Jenkins CLI via ssh allowing the following weak ciphers:
>>
>>   hmac-md5
>>   hmac-md5-96
>>   hmac-sha1-96
>>
>> Is there a way to configure ciphers accepted for the Jenkins CLI?
>>
>> Thanks,
>> Eric
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Jenkins Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/jenkinsci-users/f84HCfhF4vY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> jenkinsci-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com
> 
> .
>


-- 
Un Saludo
Iván Fernández Calvo
https://www.linkedin.com/in/iv%C3%A1n-fern%C3%A1ndez-calvo-21425033

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrruVhwNoAi_XfMoFmHf_iwg-wPVBM%2BiwyRajRuyvmrbeQ%40mail.gmail.com.

Re: Security Vulnerability on my Jenkins Server

[eric....@gmail.com]

I'm sorry, I just saw the last comment on here and, once again, this showed 
up on our vulnerability report.  I don't get exactly what I need to do in 
order to fix this.  Can someone lay it out for me please?  Thanks - Eric

On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 kuisat...@gmail.com 
wrote:

> I was wrong you cannot configure the ciphers for the ssh server on the 
> Java security files. The SSH server on Jenkins uses the 
> https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of 
> the ssh server not read the sshd_config files so it is not posible to 
> configure the ssh server. Apache mina has deprecated and disable those 
> algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the 
> sshd-module and CLI are using 1.7.0 
> https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and 
> https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I 
> guess both should bump the dependency to remove support for weak algorithms 
>
>
> El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, 
> eric@gmail.com escribió:
>
>> I think I found the solution to this:
>>
>>
>> https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/
>>   
>>
>> On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric@gmail.com wrote:
>>
>>> I'm confused.  It doesn't look like the ciphers the vulnerability is 
>>> citing are allowed in the java.security file on this system.  We're getting 
>>> flagged for:
>>>
>>>  hmac-md5
>>>   hmac-md5-96
>>>   hmac-sha1-96
>>>
>>> Settings are:
>>>
>>> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 
>>> 1024, \
>>> EC keySize < 224, 3DES_EDE_CBC, anon, NULL
>>>
>>> Am I missing this, not a java security expert by any means...  Thanks!
>>> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 kuisat...@gmail.com 
>>> wrote:
>>>
 Yes, configuring the ciphers accepted by your JDK edit the 
 file lib\security\java.security (the path will vary based on your Java 
 version)

 El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, eric@gmail.com 
 escribió:

> Hi all!  I'm getting hit by my secuity team for a vulnerability for 
> the Jenkins CLI via ssh allowing the following weak ciphers:
>
>   hmac-md5
>   hmac-md5-96
>   hmac-sha1-96
>
> Is there a way to configure ciphers accepted for the Jenkins CLI?
>
> Thanks,
> Eric
>


-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/07db750a-9c00-40ee-bc68-0a2b051c48fdn%40googlegroups.com.

Re: Security Vulnerability on my Jenkins Server

[Ivan Fernandez Calvo]

I was wrong you cannot configure the ciphers for the ssh server on the Java 
security files. The SSH server on Jenkins uses the 
https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of 
the ssh server not read the sshd_config files so it is not posible to 
configure the ssh server. Apache mina has deprecated and disable those 
algorithms on 2.6.0 https://issues.apache.org/jira/browse/SSHD-1004, the 
sshd-module and CLI are using 1.7.0 
https://github.com/jenkinsci/sshd-module/blob/master/pom.xml#L42 and 
https://github.com/jenkinsci/jenkins/blob/master/cli/pom.xml#L77 So I guess 
both should bump the dependency to remove support for weak algorithms 


El miércoles, 26 de agosto de 2020 a las 16:06:22 UTC+2, eric@gmail.com 
escribió:

> I think I found the solution to this:
>
>
> https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/
>   
>
> On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric@gmail.com wrote:
>
>> I'm confused.  It doesn't look like the ciphers the vulnerability is 
>> citing are allowed in the java.security file on this system.  We're getting 
>> flagged for:
>>
>>  hmac-md5
>>   hmac-md5-96
>>   hmac-sha1-96
>>
>> Settings are:
>>
>> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 
>> 1024, \
>> EC keySize < 224, 3DES_EDE_CBC, anon, NULL
>>
>> Am I missing this, not a java security expert by any means...  Thanks!
>> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 kuisat...@gmail.com 
>> wrote:
>>
>>> Yes, configuring the ciphers accepted by your JDK edit the 
>>> file lib\security\java.security (the path will vary based on your Java 
>>> version)
>>>
>>> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, eric@gmail.com 
>>> escribió:
>>>
 Hi all!  I'm getting hit by my secuity team for a vulnerability for the 
 Jenkins CLI via ssh allowing the following weak ciphers:

   hmac-md5
   hmac-md5-96
   hmac-sha1-96

 Is there a way to configure ciphers accepted for the Jenkins CLI?

 Thanks,
 Eric

>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/5806c3c3-b686-47e6-8e8b-a29a0d9d9fbdn%40googlegroups.com.

Re: Security Vulnerability on my Jenkins Server

[eric....@gmail.com]

I think I found the solution to this:

https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/
  

On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric@gmail.com wrote:

> I'm confused.  It doesn't look like the ciphers the vulnerability is 
> citing are allowed in the java.security file on this system.  We're getting 
> flagged for:
>
>  hmac-md5
>   hmac-md5-96
>   hmac-sha1-96
>
> Settings are:
>
> jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, 
> \
> EC keySize < 224, 3DES_EDE_CBC, anon, NULL
>
> Am I missing this, not a java security expert by any means...  Thanks!
> On Monday, August 24, 2020 at 11:09:43 AM UTC-6 kuisat...@gmail.com wrote:
>
>> Yes, configuring the ciphers accepted by your JDK edit the 
>> file lib\security\java.security (the path will vary based on your Java 
>> version)
>>
>> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, eric@gmail.com 
>> escribió:
>>
>>> Hi all!  I'm getting hit by my secuity team for a vulnerability for the 
>>> Jenkins CLI via ssh allowing the following weak ciphers:
>>>
>>>   hmac-md5
>>>   hmac-md5-96
>>>   hmac-sha1-96
>>>
>>> Is there a way to configure ciphers accepted for the Jenkins CLI?
>>>
>>> Thanks,
>>> Eric
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/b18ae081-0456-40bf-808c-d82cb2f935c1n%40googlegroups.com.

Re: Security Vulnerability on my Jenkins Server

[eric....@gmail.com]

I'm confused.  It doesn't look like the ciphers the vulnerability is citing 
are allowed in the java.security file on this system.  We're getting 
flagged for:

 hmac-md5
  hmac-md5-96
  hmac-sha1-96

Settings are:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Am I missing this, not a java security expert by any means...  Thanks!
On Monday, August 24, 2020 at 11:09:43 AM UTC-6 kuisat...@gmail.com wrote:

> Yes, configuring the ciphers accepted by your JDK edit the 
> file lib\security\java.security (the path will vary based on your Java 
> version)
>
> El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, eric@gmail.com 
> escribió:
>
>> Hi all!  I'm getting hit by my secuity team for a vulnerability for the 
>> Jenkins CLI via ssh allowing the following weak ciphers:
>>
>>   hmac-md5
>>   hmac-md5-96
>>   hmac-sha1-96
>>
>> Is there a way to configure ciphers accepted for the Jenkins CLI?
>>
>> Thanks,
>> Eric
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/cd72f7b2-5aa3-4e6e-96da-579cb50b43e3n%40googlegroups.com.

Re: Security Vulnerability on my Jenkins Server

[Ivan Fernandez Calvo]

Yes, configuring the ciphers accepted by your JDK edit the 
file lib\security\java.security (the path will vary based on your Java 
version)

El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, eric@gmail.com 
escribió:

> Hi all!  I'm getting hit by my secuity team for a vulnerability for the 
> Jenkins CLI via ssh allowing the following weak ciphers:
>
>   hmac-md5
>   hmac-md5-96
>   hmac-sha1-96
>
> Is there a way to configure ciphers accepted for the Jenkins CLI?
>
> Thanks,
> Eric
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/f28c34c0-ad6a-4305-89c5-9fd93f9ffb90n%40googlegroups.com.

Security Vulnerability on my Jenkins Server

[eric....@gmail.com]

Hi all!  I'm getting hit by my secuity team for a vulnerability for the 
Jenkins CLI via ssh allowing the following weak ciphers:

  hmac-md5
  hmac-md5-96
  hmac-sha1-96

Is there a way to configure ciphers accepted for the Jenkins CLI?

Thanks,
Eric

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/392ef479-9516-4f17-9373-8054ef703bb5n%40googlegroups.com.