CVE-2021-22117 – This vulnerability allows attackers with local ... (How to Fix)

Q: What is the severity of CVE-2021-22117?

CVE-2021-22117 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers with local filesystem access to add arbitrary plugins to RabbitMQ on Windows systems. It affects RabbitMQ Windows installations prior to version 3.8.16 where insufficient directory permissions could enable malicious plugin injection.

📋 TL;DR

This vulnerability allows attackers with local filesystem access to add arbitrary plugins to RabbitMQ on Windows systems. It affects RabbitMQ Windows installations prior to version 3.8.16 where insufficient directory permissions could enable malicious plugin injection.

💻 Affected Systems

Products:

RabbitMQ

Versions: All versions prior to 3.8.16

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations. Linux installations are not vulnerable.

📦 What is this software?

Rabbitmq Server by Broadcom

View all CVEs affecting Rabbitmq Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could install malicious plugins that execute arbitrary code with RabbitMQ service privileges, potentially leading to complete system compromise, data theft, or lateral movement.

🟠

Likely Case

Privilege escalation or unauthorized plugin installation by users with local access, potentially disrupting RabbitMQ operations or enabling persistence mechanisms.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to users who already have administrative access to the RabbitMQ system.

🌐 Internet-Facing: LOW - This requires local filesystem access, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal users with local access could exploit this for privilege escalation or persistence.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local filesystem write access to RabbitMQ plugin directories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8.16 and later

Vendor Advisory: https://tanzu.vmware.com/security/cve-2021-22117

Restart Required: Yes

Instructions:

1. Download RabbitMQ 3.8.16 or later from official sources. 2. Stop RabbitMQ service. 3. Install the updated version. 4. Restart RabbitMQ service.

🔧 Temporary Workarounds

Restrict plugin directory permissions

windows

Manually set restrictive permissions on RabbitMQ plugin directories to prevent unauthorized writes.

icacls "C:\Program Files\RabbitMQ Server\rabbitmq_server-<version>\plugins" /inheritance:r /grant "SYSTEM:(OI)(CI)F" /grant "Administrators:(OI)(CI)F" /grant "RabbitMQ Service Account:(OI)(CI)RX"

🧯 If You Can't Patch

Implement strict access controls on RabbitMQ server systems to limit local user access.
Monitor plugin directory for unauthorized file modifications using file integrity monitoring tools.

🔍 How to Verify

Check if Vulnerable:

Check RabbitMQ version with 'rabbitmqctl status' and verify if below 3.8.16 on Windows.

Check Version:

rabbitmqctl status | findstr "RabbitMQ version"

Verify Fix Applied:

Confirm version is 3.8.16 or higher and verify plugin directory permissions are properly restricted.

📡 Detection & Monitoring

Log Indicators:

Unexpected plugin loading in RabbitMQ logs
File modification events in plugin directories

Network Indicators:

Unusual plugin-related network traffic from RabbitMQ server

SIEM Query:

EventID=4663 AND ObjectName LIKE '%rabbitmq_server%plugins%' AND Accesses LIKE '%WRITE%'

📊 Metadata

CVE ID: CVE-2021-22117

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: May 18, 2021

Last Updated: April 2, 2025

🔗 References

https://tanzu.vmware.com/security/cve-2021-22117 Vendor Advisory
https://tanzu.vmware.com/security/cve-2021-22117 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22117, you might also want to check these: