CVE-2021-21693
📋 TL;DR
This vulnerability in Jenkins allows agents to create temporary files on the controller before access controls are checked, enabling unauthorized file operations. It affects Jenkins 2.318 and earlier, including LTS 2.303.2 and earlier. Attackers could potentially write arbitrary files to the controller filesystem.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on the Jenkins controller by writing malicious files that get executed, leading to complete system compromise.
Likely Case
Unauthorized file creation/modification on the controller, potentially leading to data tampering, privilege escalation, or denial of service.
If Mitigated
Limited impact if proper network segmentation and agent restrictions are in place, though file system integrity could still be compromised.
🎯 Exploit Status
Exploitation requires agent access, but the vulnerability is straightforward to exploit once an attacker controls or compromises an agent.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.319, Jenkins LTS 2.303.3
Vendor Advisory: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455
Restart Required: Yes
Instructions:
1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.319 or later, or Jenkins LTS 2.303.3 or later. 3. Restart Jenkins service. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict agent permissions
allLimit agent permissions to minimize the impact of potential exploitation
Configure agent security settings to restrict file system access
Network segmentation
allIsolate Jenkins agents from sensitive systems and limit agent-to-controller communication
🧯 If You Can't Patch
- Implement strict agent access controls and monitor agent activities
- Isolate Jenkins controller on separate network segment with limited agent access
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins, or run 'java -jar jenkins.war --version'Check Version:
java -jar jenkins.war --versionVerify Fix Applied:
Verify Jenkins version is 2.319 or higher, or LTS 2.303.3 or higher📡 Detection & Monitoring
Log Indicators:
- Unauthorized file creation attempts in Jenkins logs
- Agent activities creating unexpected temporary files
Network Indicators:
- Unusual agent-to-controller file transfer patterns
SIEM Query:
source="jenkins.log" AND ("temporary file" OR "file creation" OR "access control") AND severity=ERROR