diff --git a/contrib/single_node_ci_data.yaml b/contrib/single_node_ci_data.yaml
index a40bcee..530cdde 100644
--- a/contrib/single_node_ci_data.yaml
+++ b/contrib/single_node_ci_data.yaml
@@ -8,6 +8,8 @@ project_config_repo: http://your-project-config-repo.example.com/project-config-
 # zuul. However, it has numerous security vulnerabilities, and should only
 # be used for installations that have other means (e.g. firewalls) that block all
 # untrusted access to Jenkins.
+# see SECURITY-170 in:
+# "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11"
 #jenkins_version: present
 #jenkins_vhost_name: jenkins
 #jenkins_username: jenkins
@@ -18,6 +20,11 @@ jenkins_ssh_private_key: |
   -----END RSA PRIVATE KEY-----
 jenkins_ssh_public_key:  your-jenkins-public-key-no-whitespace
 jjb_git_revision: 1.6.2
+#java_args_override: |
+   # These are the arguments to pass to Java
+   # The recommended value:
+   # "-Xloggc:/var/log/jenkins/gc.log -XX:+PrintGCDetails -Xmx12g -Dorg.kohsuke.stapler.compression.CompressionFilter.disabled=true -Djava.util.logging.config.file=/var/lib/jenkins/logger.conf -Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+   # Please note that using the parameter: keepUndefinedParameters=true is not secure and exposes a potential jenkins security vulnerability
 #jjb_git_url: https://git.openstack.org/openstack-infra/jenkins-job-builder
 #gerrit_server: review.openstack.org
 #gerrit_ssh_host_key:
diff --git a/contrib/single_node_ci_site.pp b/contrib/single_node_ci_site.pp
index 0aafcb3..8dae153 100644
--- a/contrib/single_node_ci_site.pp
+++ b/contrib/single_node_ci_site.pp
@@ -38,6 +38,7 @@ node default {
     jenkins_password            => hiera('jenkins_password', 'XXX'),
     jenkins_ssh_private_key     => hiera('jenkins_ssh_private_key'),
     jenkins_ssh_public_key      => hiera('jenkins_ssh_public_key'),
+    java_args_override          => hiera('java_args_override', undef),
     gerrit_server               => hiera('gerrit_server', 'review.openstack.org'),
     gerrit_user                 => hiera('gerrit_user'),
     gerrit_user_ssh_public_key  => hiera('gerrit_user_ssh_public_key'),
diff --git a/manifests/jenkins_master.pp b/manifests/jenkins_master.pp
index f3c7db9..3146501 100644
--- a/manifests/jenkins_master.pp
+++ b/manifests/jenkins_master.pp
@@ -17,6 +17,7 @@ class openstackci::jenkins_master (
   $jenkins_version         = 'present',
   $manage_jenkins_jobs     = false,
   $jenkins_url             = 'http://localhost:8080',
+  $java_args_override      = undef,
   $jjb_update_timeout      = 1200,
   $jjb_git_url             = 'https://git.openstack.org/openstack-infra/jenkins-job-builder',
   $jjb_git_revision        = 'master',
@@ -38,6 +39,7 @@ class openstackci::jenkins_master (
     jenkins_ssh_private_key => $jenkins_ssh_private_key,
     jenkins_ssh_public_key  => $jenkins_ssh_public_key,
     jenkins_version         => $jenkins_version,
+    java_args_override      => $java_args_override,
   }
 
   jenkins::plugin { 'build-timeout':
diff --git a/manifests/single_node_ci.pp b/manifests/single_node_ci.pp
index c768123..8496b90 100644
--- a/manifests/single_node_ci.pp
+++ b/manifests/single_node_ci.pp
@@ -56,6 +56,15 @@
 #   The public key should not have any white space. Omit the 'ssh-rsa' prefix
 #   and comment section / e-mail address suffix.
 #
+# [*java_args_override*]
+#   These are the arguments to pass to Java:
+#   "-Xloggc:/var/log/jenkins/gc.log -XX:+PrintGCDetails -Xmx12g -Dorg.kohsuke.stapler.compression.CompressionFilter.disabled=true -Djava.util.logging.config.file=/var/lib/jenkins/logger.conf -Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+#   Set this parameter through hieradata.
+#   To work around the security restrictions that result from upgrading to version > 1.651.2
+#   Add the Java system parameter:
+#   "-Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+#   Please note that adding this parameter is not secure and it exposes a potential jenkins security vulnerability.
+#
 # [*jenkins_version*]
 #   This is a Jenkins version, such as '1.651', 'present' (to install
 #   the most recent, and never upgrade), or latest' (to install the most
@@ -158,6 +167,7 @@ class openstackci::single_node_ci (
   $jenkins_password              = undef,
   $jenkins_ssh_private_key       = undef,
   $jenkins_ssh_public_key        = undef,
+  $java_args_override            = undef,
   $jenkins_version               = 'present',
   $jjb_git_revision              = 'master',
   $jjb_git_url                   = 'https://git.openstack.org/openstack-infra/jenkins-job-builder',
@@ -200,6 +210,7 @@ class openstackci::single_node_ci (
     jenkins_password        => $jenkins_password,
     project_config_repo     => $project_config_repo,
     log_server              => $log_server,
+    java_args_override      => $java_args_override,
     jjb_git_revision        => $jjb_git_revision,
     jjb_git_url             => $jjb_git_url,
   }