CVE-2021-21687 Overview
CVE-2021-21687 is a critical authorization bypass vulnerability affecting Jenkins 2.318 and earlier, as well as LTS 2.303.2 and earlier. The vulnerability exists in the FilePath#untar function, which fails to properly check agent-to-controller access when creating symbolic links during archive extraction operations. This missing authorization check allows malicious agents to create arbitrary symbolic links on the Jenkins controller, potentially leading to unauthorized access to sensitive files and data.
Critical Impact
Attackers with access to a Jenkins agent can exploit this vulnerability to create symbolic links that bypass agent-to-controller security restrictions, potentially compromising the confidentiality and integrity of the Jenkins controller and its data.
Affected Products
- Jenkins 2.318 and earlier
- Jenkins LTS 2.303.2 and earlier
Discovery Timeline
- 2021-11-04 - CVE-2021-21687 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21687
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), representing a critical flaw in Jenkins' security architecture. The core issue resides in the FilePath#untar method, which is responsible for extracting tar archives. When this method encounters symbolic links within an archive, it creates them on the file system without verifying whether the requesting agent has the appropriate permissions to create such links on the controller.
The agent-to-controller security subsystem in Jenkins is designed to restrict what operations agents can perform on the controller. This is a critical security boundary, as agents are often less trusted than the controller itself and may be running on compromised or less secure infrastructure. By failing to enforce this security boundary during untar operations, the vulnerability allows agents to effectively bypass access controls.
Root Cause
The root cause of CVE-2021-21687 is the absence of authorization checks in the FilePath#untar implementation when processing symbolic links. The method processes archive contents and recreates the file structure, including symbolic links, without consulting the agent-to-controller access control mechanism. This oversight means that even when administrators have configured strict agent-to-controller security policies, those policies are not enforced during archive extraction operations involving symbolic links.
Attack Vector
The attack vector for this vulnerability is network-based and can be exploited by any entity that controls a Jenkins agent. An attacker would need to:
- Gain control of or compromise a Jenkins agent connected to the target controller
- Craft a malicious tar archive containing symbolic links pointing to sensitive files or directories on the controller
- Trigger an untar operation on the controller via the compromised agent
- Use the created symbolic links to access or manipulate files that should be protected by agent-to-controller access controls
The symbolic links could point to sensitive configuration files, credentials, or other protected resources on the Jenkins controller, effectively allowing unauthorized read or write access depending on the target and the controller's file system permissions.
Detection Methods for CVE-2021-21687
Indicators of Compromise
- Unexpected symbolic links appearing in Jenkins workspace or controller directories
- Agent activity involving tar archive extraction operations targeting the controller
- Unauthorized access attempts to sensitive files or directories through indirect paths
- Unusual file access patterns from agent processes on the controller
Detection Strategies
- Monitor Jenkins audit logs for FilePath#untar operations initiated by agents
- Implement file integrity monitoring on the Jenkins controller to detect new symbolic links
- Review agent activity logs for archive extraction operations
- Deploy endpoint detection to identify suspicious file system operations
Monitoring Recommendations
- Enable comprehensive Jenkins security audit logging to capture agent-to-controller operations
- Configure alerts for symbolic link creation in sensitive controller directories
- Monitor network traffic between agents and the controller for unusual archive transfer patterns
- Regularly audit Jenkins controller file systems for unexpected symbolic links
How to Mitigate CVE-2021-21687
Immediate Actions Required
- Upgrade Jenkins to version 2.319 or later immediately
- For LTS users, upgrade to version 2.303.3 or later
- Review agent-to-controller security configurations and restrict permissions
- Audit existing symbolic links on Jenkins controllers for suspicious entries
Patch Information
Jenkins has addressed this vulnerability in Jenkins 2.319 and Jenkins LTS 2.303.3. The fix implements proper authorization checks in the FilePath#untar method to verify agent-to-controller access before creating symbolic links. Administrators should upgrade to these versions or later to fully remediate the vulnerability. For detailed information about the fix, refer to the Jenkins Security Advisory #SECURITY-2455.
Workarounds
- Restrict agent-to-controller access to only trusted agents until patches can be applied
- Disable or limit the use of archive extraction features where possible
- Implement network segmentation between agents and controllers to limit exposure
- Consider running agents in isolated environments to minimize the impact of potential compromise
# Verify Jenkins version to ensure patched version is installed
java -jar jenkins-cli.jar -s http://your-jenkins-server/ version
# Check if version is 2.319+ (or LTS 2.303.3+)
# If running vulnerable version, upgrade immediately
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
