From c4ac789748d0ee830d3616eb841911961ca68b54 Mon Sep 17 00:00:00 2001
From: Jeff Lu <chunglu@amazon.com>
Date: Mon, 5 Feb 2024 22:40:08 -0800
Subject: [PATCH 1/3] jenkins cve mitigation

Signed-off-by: Jeff Lu <chunglu@amazon.com>
---
 lib/compute/jenkins-main-node.ts       | 5 +++++
 test/compute/jenkins-main-node.test.ts | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/compute/jenkins-main-node.ts b/lib/compute/jenkins-main-node.ts
index 69485673..d03af1a6 100644
--- a/lib/compute/jenkins-main-node.ts
+++ b/lib/compute/jenkins-main-node.ts
@@ -265,6 +265,11 @@ export class JenkinsMainNode {
       + ' instance_id=`curl -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id` && echo $ami_id &&'
       + ` aws ec2 --region ${stackRegion} modify-instance-metadata-options --instance-id $instance_id --http-put-response-hop-limit 2`),
 
+      // Jenkins CVE https://www.jenkins.io/security/advisory/2024-01-24/ mitigation 
+      InitCommand.shellCommand('mkdir -p /var/lib/jenkins/init.groovy.d'),
+      // eslint-disable-next-line max-len
+      InitCommand.shellCommand('sudo wget -P /var/lib/jenkins/init.groovy.d https://raw.githubusercontent.com/jenkinsci-cert/SECURITY-3314-3315/main/disable-cli.groovy'),
+
       // Configuration to proxy jenkins on :8080 -> :80
       InitFile.fromString('/etc/httpd/conf.d/jenkins.conf',
         httpConfigProps.useSsl
diff --git a/test/compute/jenkins-main-node.test.ts b/test/compute/jenkins-main-node.test.ts
index 650f2fb1..ab588d4f 100644
--- a/test/compute/jenkins-main-node.test.ts
+++ b/test/compute/jenkins-main-node.test.ts
@@ -26,7 +26,7 @@ describe('JenkinsMainNode Config Elements', () => {
 
   // THEN
   test('Config elements expected counts', async () => {
-    expect(configElements.filter((e) => e.elementType === 'COMMAND')).toHaveLength(20);
+    expect(configElements.filter((e) => e.elementType === 'COMMAND')).toHaveLength(22);
     expect(configElements.filter((e) => e.elementType === 'PACKAGE')).toHaveLength(9);
     expect(configElements.filter((e) => e.elementType === 'FILE')).toHaveLength(4);
   });

From fbcab7de7b38c348c941df528a6137b13d8d61a3 Mon Sep 17 00:00:00 2001
From: Jeff Lu <chunglu@amazon.com>
Date: Wed, 21 Feb 2024 15:18:43 -0800
Subject: [PATCH 2/3] using curl to replace wget

Signed-off-by: Jeff Lu <chunglu@amazon.com>
---
 lib/compute/jenkins-main-node.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/compute/jenkins-main-node.ts b/lib/compute/jenkins-main-node.ts
index d03af1a6..b227a53f 100644
--- a/lib/compute/jenkins-main-node.ts
+++ b/lib/compute/jenkins-main-node.ts
@@ -268,7 +268,7 @@ export class JenkinsMainNode {
       // Jenkins CVE https://www.jenkins.io/security/advisory/2024-01-24/ mitigation 
       InitCommand.shellCommand('mkdir -p /var/lib/jenkins/init.groovy.d'),
       // eslint-disable-next-line max-len
-      InitCommand.shellCommand('sudo wget -P /var/lib/jenkins/init.groovy.d https://raw.githubusercontent.com/jenkinsci-cert/SECURITY-3314-3315/main/disable-cli.groovy'),
+      InitCommand.shellCommand('sudo curl -SL https://raw.githubusercontent.com/jenkinsci-cert/SECURITY-3314-3315/main/disable-cli.groovy -o /var/lib/jenkins/init.groovy.d/disable-cli.groovy'),
 
       // Configuration to proxy jenkins on :8080 -> :80
       InitFile.fromString('/etc/httpd/conf.d/jenkins.conf',

From 2eaca61e6ffe8a40641a5483ec79df042eaa72de Mon Sep 17 00:00:00 2001
From: Jeff Lu <chunglu@amazon.com>
Date: Wed, 21 Feb 2024 15:34:29 -0800
Subject: [PATCH 3/3] using the commit Id instead of the main branch

Signed-off-by: Jeff Lu <chunglu@amazon.com>
---
 lib/compute/jenkins-main-node.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/compute/jenkins-main-node.ts b/lib/compute/jenkins-main-node.ts
index b227a53f..189fe9e5 100644
--- a/lib/compute/jenkins-main-node.ts
+++ b/lib/compute/jenkins-main-node.ts
@@ -268,7 +268,7 @@ export class JenkinsMainNode {
       // Jenkins CVE https://www.jenkins.io/security/advisory/2024-01-24/ mitigation 
       InitCommand.shellCommand('mkdir -p /var/lib/jenkins/init.groovy.d'),
       // eslint-disable-next-line max-len
-      InitCommand.shellCommand('sudo curl -SL https://raw.githubusercontent.com/jenkinsci-cert/SECURITY-3314-3315/main/disable-cli.groovy -o /var/lib/jenkins/init.groovy.d/disable-cli.groovy'),
+      InitCommand.shellCommand('sudo curl -SL https://raw.githubusercontent.com/jenkinsci-cert/SECURITY-3314-3315/1363970ecc33a6b94620f2167d4a301fcf46bd36/disable-cli.groovy -o /var/lib/jenkins/init.groovy.d/disable-cli.groovy'),
 
       // Configuration to proxy jenkins on :8080 -> :80
       InitFile.fromString('/etc/httpd/conf.d/jenkins.conf',