Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN226 _____________________________________________________________________ DATE : 10/04/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running jenkins/ssh-agent Docker images versions prior to 6.11.2, jenkins/ssh-slave Docker images all versions. ===================================================================== https://www.jenkins.io/security/advisory/2025-04-10/ _____________________________________________________________________ Jenkins Security Advisory 2025-04-10 This advisory announces vulnerabilities in the following Jenkins deliverables: jenkins/ssh-agent Docker images jenkins/ssh-slave Docker images Descriptions Host key reuse in SSH build agent Docker images SECURITY-3565 / CVE-2025-32754 (jenkins/ssh-agent), CVE-2025-32755 (jenkins/ssh-slave) Severity (CVSS): Medium Description: The jenkins/ssh-agent and deprecated jenkins/ssh-slave Docker images can be used to set up a build agent for use via the SSH Build Agents plugin. In jenkins/ssh-agent 6.11.1 and earlier and all versions of jenkins/ssh-slave, SSH host keys are generated on image creation for images based on Debian. This affects the following image variants: jenkins/ssh-agent: All not explicitly specifying an OS, including all -jdk* and -jdk*-preview suffixes (all before 2025-04-10) All containing debian, stretch, bullseye, or bookworm (all before 2025-04-10) jenkins/ssh-slave: The tags latest, jdk11, latest-jdk11, revert-22-jdk11-JENKINS-52279 The following image variants are unaffected: jenkins/ssh-agent: All containing alpine, nanoserver, or windows jenkins/ssh-slave: The tag alpine As a result, all containers based on images of the same version use the same SSH host keys. This allows attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter. The jenkins/ssh-agent 6.11.2 Docker images based on Debian delete the automatically generated SSH host keys created during image creation. New host keys are generated on the first container startup. jenkins/ssh-slave is deprecated and will not be updated. Use jenkins/ssh-agent instead. Severity SECURITY-3565: Medium Affected Versions jenkins/ssh-agent Docker images up to and including 6.11.1 jenkins/ssh-slave Docker images up to and including all versions Fix jenkins/ssh-agent Docker images should be updated to version 6.11.2 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Abhishek Reddypalle for SECURITY-3565 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================