Bug 2016535 (CVE-2021-21703)

Summary: CVE-2021-21703 php: Local privilege escalation via PHP-FPM
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, hhorak, jdreese, jorton, mark, rcollet, seferovic
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.4.25, php 8.0.12 Doc Type: If docs needed, set a value
Doc Text:
php-fpm has a vulnerability which may lead to local privilege escalation. This vulnerability is hard to exploit as the attack needs to escape the FPM sandbox mechanism. When a complete attack is achieved it may lead to risk for confidentiality, data integrity, and system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-12 01:15:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2017111, 2017129, 2018202, 2018203, 2018204, 2100754    
Bug Blocks: 2016537    

Description Pedro Sampaio 2021-10-21 20:27:32 UTC 
One can force the root FPM process to read/write at arbitrary locations using pointers located in the SHM, leading to a privilege escalation from www-data to root.

Upstream bug:

https://bugs.php.net/bug.php?id=81026
Comment 2 Marco Benatto 2021-10-25 17:40:06 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 2017129]
Comment 4 Marco Benatto 2021-10-29 14:44:29 UTC 
Upstream patch for this issue:
https://github.com/php/php-src/commit/fadb1f8c1d08ae62b4f0a16917040fde57a3b93b
Comment 5 Marco Benatto 2021-11-03 13:20:03 UTC 
Currently PHP has a flaw on FPM scoreboard mechanism, which when leveraged by an attacker can lead to local privilege escalation. Currently PHP maintains several per-workers scoreboard related structures accessed indirectly by pointers to a shared memory mapping, if an attacker manage to escape FPM sandbox and overwrite those values it may gain control over these structures leading to a possible privilege escalation.
Such attack is high in complexity as, to be successful, the attacker needs to chain it with a sandbox escape exploit firstly or have access to the PHP host.
Comment 7 seferovic 2021-12-14 08:27:46 UTC 
Hi, any info on when an errata will be published for this flaw? TIA!
Comment 8 Jeremy Dreese 2022-02-28 13:17:21 UTC 
Can you please provide an update as to whether this will be fixed? Specifically, when do you expect this to be corrected in Red Hat Software Collections (rh-php73-php)? See https://access.redhat.com/security/cve/cve-2021-21703. Thank you!
Comment 9 errata-xmlrpc 2022-05-10 14:23:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1935 https://access.redhat.com/errata/RHSA-2022:1935
Comment 10 Product Security DevOps Team 2022-05-12 01:15:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21703
Comment 11 errata-xmlrpc 2022-07-04 07:43:16 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:5491 https://access.redhat.com/errata/RHSA-2022:5491