CVE-2021-21687
📋 TL;DR
This vulnerability in Jenkins allows agents to create arbitrary symbolic links on the controller file system during archive extraction. Attackers with agent access can potentially write files anywhere the Jenkins process has write permissions, leading to remote code execution. All Jenkins installations using affected versions with agent-to-controller file operations are vulnerable.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on the Jenkins controller, allowing complete system compromise, data theft, and lateral movement within the network.
Likely Case
Arbitrary file write leading to privilege escalation, configuration modification, or installation of backdoors on the Jenkins controller.
If Mitigated
Limited to file writes in directories where Jenkins has restricted permissions, potentially causing denial of service or limited data manipulation.
🎯 Exploit Status
Exploitation requires agent access but is straightforward once obtained. Public exploit details exist in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.319, Jenkins LTS 2.303.3
Vendor Advisory: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455
Restart Required: Yes
Instructions:
1. Backup your Jenkins configuration. 2. Upgrade to Jenkins 2.319 or later, or Jenkins LTS 2.303.3 or later. 3. Restart the Jenkins service. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Disable agent-to-controller file operations
allRestrict agents from performing file operations on the controller by modifying agent permissions.
Configure agent permissions in Jenkins to remove 'Agent/Computer: FilePath#untar' and related file operation permissions
Run Jenkins with minimal permissions
linuxRun the Jenkins service with a dedicated low-privilege user account to limit file system access.
sudo chown -R jenkins:jenkins /var/lib/jenkins
Configure service to run as 'jenkins' user
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Jenkins controllers from sensitive systems
- Apply principle of least privilege to Jenkins service account and file system permissions
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins, or run 'java -jar jenkins.war --version' from command line.Check Version:
java -jar jenkins.war --versionVerify Fix Applied:
After upgrade, verify version is 2.319+ or LTS 2.303.3+ in About Jenkins page.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation patterns in Jenkins logs
- Agent operations creating symbolic links
- File permission errors in unusual directories
Network Indicators:
- Unexpected agent-to-controller file transfers
- Unusual outbound connections from Jenkins controller
SIEM Query:
source="jenkins.log" AND ("symlink" OR "FilePath.untar" OR "agent file operation")