CVE-2021-22117 Overview
CVE-2021-22117 affects RabbitMQ installers on Microsoft Windows prior to version 3.8.16. The installer fails to harden permissions on the plugin directory during deployment. Local attackers with sufficient filesystem permissions can drop arbitrary plugins into the directory. RabbitMQ loads these plugins with broker privileges, resulting in local code execution under the service account.
The weakness maps to [CWE-732 Incorrect Permission Assignment for Critical Resource] and [CWE-94 Improper Control of Generation of Code]. Broadcom (formerly VMware Tanzu) maintains RabbitMQ and published a vendor advisory addressing the issue.
Critical Impact
A local user with write access to the RabbitMQ plugin directory can plant a malicious plugin that executes with the broker's privileges, compromising confidentiality, integrity, and availability of the messaging service.
Affected Products
- Broadcom RabbitMQ Server versions prior to 3.8.16 on Windows
- Microsoft Windows hosts running affected RabbitMQ installer builds
- Deployments using the default Windows MSI installer path
Discovery Timeline
- 2021-05-18 - CVE-2021-22117 published to NVD
- 2025-04-02 - Last updated in NVD database
Technical Details for CVE-2021-22117
Vulnerability Analysis
The RabbitMQ Windows installer creates the plugin directory without applying restrictive Access Control Lists (ACLs). The directory inherits permissive default permissions from the parent installation path. Standard local users can write files into the plugin location used by the broker at startup.
RabbitMQ loads Erlang/OTP plugin archives (.ez files) from this directory when the service initializes or when an operator enables a plugin. Plugin code runs inside the broker's Erlang virtual machine with the privileges of the RabbitMQ service account. An attacker therefore converts filesystem write access into code execution within the messaging broker.
The issue is a local privilege escalation and code injection vector. It requires existing low-privileged access to the host but no user interaction. Successful exploitation grants the attacker control over message routing, queue contents, and clustered nodes connected to the broker.
Root Cause
The root cause is improper permission assignment during installer execution. The installer does not call icacls or equivalent ACL-hardening routines against the plugin directory. Combined with RabbitMQ's design of loading any valid plugin archive present at startup, the misconfiguration enables arbitrary code execution.
Attack Vector
Exploitation requires local access with write permission to the RabbitMQ plugin directory on the affected Windows host. The attacker stages a crafted Erlang plugin archive in the directory. When the RabbitMQ service restarts or an administrator enables plugins, the broker loads the attacker-supplied code. The code executes with the service account's privileges, which typically include access to broker configuration, credentials, and message data.
See the Broadcom Tanzu Security Advisory for vendor-supplied technical details.
Detection Methods for CVE-2021-22117
Indicators of Compromise
- Presence of unexpected .ez plugin archives in the RabbitMQ plugin directory not delivered by the official installer
- File creation events in the plugin directory by non-administrative user accounts
- RabbitMQ broker logs showing plugin load events for unknown plugin names during service start
- Outbound network connections originating from the erl.exe or epmd.exe process to unexpected destinations
Detection Strategies
- Audit ACLs on the RabbitMQ installation path and plugin subdirectory, flagging entries that grant write access to non-privileged groups such as Users or Authenticated Users
- Monitor Windows Security event ID 4663 for write access attempts targeting the plugin directory
- Compare installed plugin archive hashes against the vendor-supplied manifest for the running RabbitMQ version
Monitoring Recommendations
- Enable file integrity monitoring on the RabbitMQ installation directory tree
- Forward RabbitMQ broker logs and Windows Security logs to a centralized SIEM for correlation
- Alert on RabbitMQ service restarts that coincide with plugin directory writes from non-administrative principals
How to Mitigate CVE-2021-22117
Immediate Actions Required
- Upgrade RabbitMQ Server on Windows to version 3.8.16 or later, which applies hardened ACLs to the plugin directory during installation
- Manually restrict permissions on the existing plugin directory so that only the RabbitMQ service account and administrators have write access
- Inventory all plugin archives present on affected hosts and remove any unauthorized files
- Rotate any credentials, certificates, or secrets that the broker had access to if tampering is suspected
Patch Information
Broadcom released the fix in RabbitMQ Server 3.8.16. Refer to the Broadcom Tanzu Security Advisory for CVE-2021-22117 for the official patch notice and upgrade guidance.
Workarounds
- Apply restrictive ACLs to the RabbitMQ plugin directory using icacls to remove write permissions for non-privileged users
- Run the RabbitMQ service under a dedicated low-privileged account that does not share filesystem rights with interactive users
- Restrict interactive logon to RabbitMQ hosts and enforce least-privilege access for operators
# Configuration example: harden the RabbitMQ plugin directory on Windows
icacls "C:\Program Files\RabbitMQ Server\rabbitmq_server-3.8.16\plugins" /inheritance:r
icacls "C:\Program Files\RabbitMQ Server\rabbitmq_server-3.8.16\plugins" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
