CVE-2021-21691 – This vulnerability allows Jenkins agents to cre... (How to Fix)

Q: What is the severity of CVE-2021-21691?

CVE-2021-21691 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows Jenkins agents to create symbolic links on the controller without proper permission checks. Attackers with agent access can potentially write arbitrary files to sensitive locations, leading to privilege escalation or remote code execution. All Jenkins instances with agent connections are affected.

📋 TL;DR

This vulnerability allows Jenkins agents to create symbolic links on the controller without proper permission checks. Attackers with agent access can potentially write arbitrary files to sensitive locations, leading to privilege escalation or remote code execution. All Jenkins instances with agent connections are affected.

💻 Affected Systems

Products:

Jenkins

Versions: Jenkins 2.318 and earlier, LTS 2.303.2 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: All Jenkins installations using the standard agent-to-controller communication are vulnerable. Cloud-based Jenkins instances are also affected.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Jenkins controller via arbitrary file write leading to remote code execution as Jenkins service account, potentially enabling lateral movement in the environment.

🟠

Likely Case

Privilege escalation within Jenkins, unauthorized access to sensitive files, or disruption of Jenkins operations through file system manipulation.

🟢

If Mitigated

Limited impact if proper network segmentation and agent access controls are implemented, restricting agent-to-controller communication.

🌐 Internet-Facing: HIGH - Jenkins controllers exposed to the internet with agent connections are at significant risk of exploitation.

🏢 Internal Only: MEDIUM - Internal Jenkins instances are still vulnerable but require initial access to the network or compromised agents.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires agent access but is straightforward once agent connection is established. Public exploit details are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.319, LTS 2.303.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Restart Required: Yes

Instructions:

1. Backup Jenkins configuration and data. 2. Upgrade Jenkins to version 2.319 or later, or LTS 2.303.3 or later. 3. Restart Jenkins service. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Restrict agent permissions

all

Remove symlink permission from agent-to-controller access control

Navigate to Manage Jenkins > Configure Global Security > Agent to Controller Access Control
Remove 'symlink' permission from all agent configurations

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jenkins agents from sensitive systems
Monitor for suspicious file creation activities and agent behavior anomalies

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via web interface (Manage Jenkins > About Jenkins) or command line: java -jar jenkins.war --version

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Confirm version is 2.319+ or LTS 2.303.3+ and verify symlink permission is properly restricted in agent access control settings

📡 Detection & Monitoring

Log Indicators:

Unauthorized symlink creation attempts in Jenkins logs
Agent permission escalation events
File system changes from Jenkins agent processes

Network Indicators:

Unusual agent-to-controller file transfer patterns
Agent connections attempting to access restricted file paths

SIEM Query:

source="jenkins.log" AND ("symlink" OR "permission denied" OR "access control")

📊 Metadata

CVE ID: CVE-2021-21691

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: November 4, 2021

Last Updated: November 21, 2024

🔗 References

https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 Vendor Advisory
https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21691, you might also want to check these: