CVE-2021-21685 – This vulnerability in Jenkins allows agents to ... (How to Fix)

Q: How do I fix CVE-2021-21685?

1. Backup Jenkins configuration and data. 2. Upgrade to Jenkins 2.319 or Jenkins LTS 2.303.3. 3. Restart Jenkins service. 4. Verify upgrade completed successfully.

Q: What is the severity of CVE-2021-21685?

CVE-2021-21685 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Jenkins allows agents to create arbitrary directories on the controller's filesystem without proper access control. Attackers with agent access can potentially write files anywhere the Jenkins process has write permissions, leading to remote code execution. All Jenkins installations using affected versions with agent connections are vulnerable.

📋 TL;DR

This vulnerability in Jenkins allows agents to create arbitrary directories on the controller's filesystem without proper access control. Attackers with agent access can potentially write files anywhere the Jenkins process has write permissions, leading to remote code execution. All Jenkins installations using affected versions with agent connections are vulnerable.

💻 Affected Systems

Products:

Jenkins

Versions: Jenkins <= 2.318, Jenkins LTS <= 2.303.2

Operating Systems: All operating systems running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires agent-to-controller communication; standalone installations without agents are not affected.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on the Jenkins controller, allowing complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized file creation leading to privilege escalation, persistence mechanisms, or denial of service by filling disk space.

🟢

If Mitigated

Limited impact if agents are fully trusted or isolated, though directory creation could still cause configuration issues.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to the internet with agent connections are prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal attackers with agent access could exploit this, but requires initial access to the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires agent access but is straightforward once obtained; public exploit details exist in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.319, Jenkins LTS 2.303.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Restart Required: Yes

Instructions:

1. Backup Jenkins configuration and data. 2. Upgrade to Jenkins 2.319 or Jenkins LTS 2.303.3. 3. Restart Jenkins service. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Restrict agent permissions

all

Limit agent access to only trusted sources and implement strict network controls.

Configure Jenkins agent security settings to restrict access
Use firewall rules to limit agent connections

Disable unnecessary agents

all

Remove or disable agents that are not essential for operations.

Manage Jenkins > Manage Nodes > Remove untrusted agents

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jenkins agents from untrusted networks.
Monitor file system changes on Jenkins controller for unauthorized directory creation.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or via CLI with 'java -jar jenkins.war --version'.

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Confirm version is 2.319 or higher, or LTS 2.303.3 or higher, and test agent directory creation permissions.

📡 Detection & Monitoring

Log Indicators:

Unauthorized directory creation attempts in Jenkins logs
Agent connection logs from untrusted sources

Network Indicators:

Unusual agent-to-controller file transfer patterns
Suspicious network traffic to Jenkins agent ports

SIEM Query:

source="jenkins.log" AND "mkdirs" AND "agent"

📊 Metadata

CVE ID: CVE-2021-21685

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-862

Published: November 4, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/11/04/3 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/11/04/3 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21685, you might also want to check these: