One can force the root FPM process to read/write at arbitrary locations using pointers located in the SHM, leading to a privilege escalation from www-data to root. Upstream bug: https://bugs.php.net/bug.php?id=81026
Created php tracking bugs for this issue: Affects: fedora-all [bug 2017129]
Upstream patch for this issue: https://github.com/php/php-src/commit/fadb1f8c1d08ae62b4f0a16917040fde57a3b93b
Currently PHP has a flaw on FPM scoreboard mechanism, which when leveraged by an attacker can lead to local privilege escalation. Currently PHP maintains several per-workers scoreboard related structures accessed indirectly by pointers to a shared memory mapping, if an attacker manage to escape FPM sandbox and overwrite those values it may gain control over these structures leading to a possible privilege escalation. Such attack is high in complexity as, to be successful, the attacker needs to chain it with a sandbox escape exploit firstly or have access to the PHP host.
Hi, any info on when an errata will be published for this flaw? TIA!
Can you please provide an update as to whether this will be fixed? Specifically, when do you expect this to be corrected in Red Hat Software Collections (rh-php73-php)? See https://access.redhat.com/security/cve/cve-2021-21703. Thank you!
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1935 https://access.redhat.com/errata/RHSA-2022:1935
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-21703
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:5491 https://access.redhat.com/errata/RHSA-2022:5491