CVE-2021-21627 – This CSRF vulnerability in Jenkins Libvirt Agen... (How to Fix)

Q: What is the severity of CVE-2021-21627?

CVE-2021-21627 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in Jenkins Libvirt Agents Plugin allows attackers to stop hypervisor domains (virtual machines) managed by Jenkins. Attackers can trick authenticated Jenkins administrators into executing malicious requests. Affects Jenkins instances using the vulnerable Libvirt Agents Plugin.

📋 TL;DR

This CSRF vulnerability in Jenkins Libvirt Agents Plugin allows attackers to stop hypervisor domains (virtual machines) managed by Jenkins. Attackers can trick authenticated Jenkins administrators into executing malicious requests. Affects Jenkins instances using the vulnerable Libvirt Agents Plugin.

💻 Affected Systems

Products:

Jenkins Libvirt Agents Plugin

Versions: 1.9.0 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances with Libvirt Agents Plugin installed and configured to manage Libvirt hypervisors.

📦 What is this software?

Libvirt Agents by Jenkins

View all CVEs affecting Libvirt Agents →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could stop critical production virtual machines, causing service disruption, data loss, and operational downtime across infrastructure.

🟠

Likely Case

Targeted attacks stopping specific VMs to disrupt workflows, cause temporary outages, or interfere with CI/CD pipelines.

🟢

If Mitigated

With proper CSRF protections and network segmentation, impact limited to isolated test environments only.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to internet are prime targets for CSRF attacks via malicious websites.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit via phishing or malicious internal sites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated admin into visiting malicious site. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.1

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-1764

Restart Required: Yes

Instructions:

1. Update Jenkins Libvirt Agents Plugin to version 1.9.1 or later via Jenkins Plugin Manager. 2. Restart Jenkins service. 3. Verify plugin version in installed plugins list.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Ensure Jenkins global security has CSRF protection enabled (default in modern versions)

Check: Manage Jenkins > Configure Global Security > Enable CSRF Protection

Network Segmentation

all

Restrict Jenkins management interface to trusted networks only

Configure firewall rules to limit Jenkins web interface access to admin networks

🧯 If You Can't Patch

Remove or disable Libvirt Agents Plugin if not essential
Implement strict access controls and monitor for unauthorized VM stop operations

🔍 How to Verify

Check if Vulnerable:

Check installed plugin version: Manage Jenkins > Manage Plugins > Installed tab > Find 'Libvirt Agents Plugin'

Check Version:

Jenkins CLI: java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep libvirt

Verify Fix Applied:

Verify plugin version is 1.9.1 or higher in installed plugins list

📡 Detection & Monitoring

Log Indicators:

Unexpected 'stop' operations on hypervisor domains in Jenkins logs
CSRF token validation failures in access logs

Network Indicators:

POST requests to /libvirt-slave/stopSlave without proper referrer headers
Multiple stop requests from unusual sources

SIEM Query:

source="jenkins.log" AND "libvirt-slave/stopSlave" AND NOT user="expected_admin_user"

📊 Metadata

CVE ID: CVE-2021-21627

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: March 18, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/03/18/5 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-1764 Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/03/18/5 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-1764 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21627, you might also want to check these: