Service(s)

ci.jenkins.io

Summary

The WMI Windows agent plugin uses DCOM to connect agents. The DCOM technique that it uses is known to have security issues. Microsoft has tightened security restrictions and will further tighten security.

This plugin will be deprecated in May of 2023. SSH is now a very viable, secure and robust solution for connecting to Windows based agents using native Windows binaries for OpenSSH Server or another method such as cygwin. There is also the Windows Cloud plugin for Jenkins which uses WinRM, a more modern remote management solution.

The method for connecting agents to the controller in this plugin, which is based on DCOM, has several pitfalls and issues and can be brittle. The SSH and other solutions can unify the method for connecting to all agents (Windows, Linux, macOS, etc.) in your infrastructure. It is highly recommended that you migrate to one of these other methods sooner rather than later.

Microsoft is tightening security on DCOM based on a CVE. Initial OS updates will require a registry change to enable the current security level, then in May of 2023 they will not have a way to override the secure behavior. The library used in this plugin was last released in ~2010 and does not have an active development team. Jenkins developers have decided to deprecate this plugin rather than try and maintain the library on our own.

If someone would like to keep the plugin going, they would need to adopt the plugin and update it to align with the changes that Microsoft is putting in to resolve the CVE.

Reproduction steps

Implied dependencies prevent the plugin from being uninstalled on some Jenkins configurations. Need to update the plugins with the implied dependency to require a newer Jenkins version.