Bug 2016535 (CVE-2021-21703) - CVE-2021-21703 php: Local privilege escalation via PHP-FPM
Summary: CVE-2021-21703 php: Local privilege escalation via PHP-FPM
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-21703
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2017111 2017129 2018202 2018203 2018204 2100754
Blocks: 2016537
TreeView+ depends on / blocked
 
Reported: 2021-10-21 20:27 UTC by Pedro Sampaio
Modified: 2022-07-04 11:38 UTC (History)
7 users (show)

Fixed In Version: php 7.4.25, php 8.0.12
Doc Type: If docs needed, set a value
Doc Text:
php-fpm has a vulnerability which may lead to local privilege escalation. This vulnerability is hard to exploit as the attack needs to escape the FPM sandbox mechanism. When a complete attack is achieved it may lead to risk for confidentiality, data integrity, and system availability.
Clone Of:
Environment:
Last Closed: 2022-05-12 01:15:16 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5493 0 None None None 2022-07-04 11:38:19 UTC
Red Hat Product Errata RHSA-2022:1935 0 None None None 2022-05-10 14:23:29 UTC
Red Hat Product Errata RHSA-2022:5491 0 None None None 2022-07-04 07:43:18 UTC

Description Pedro Sampaio 2021-10-21 20:27:32 UTC 
One can force the root FPM process to read/write at arbitrary locations using pointers located in the SHM, leading to a privilege escalation from www-data to root.

Upstream bug:

https://bugs.php.net/bug.php?id=81026
Comment 2 Marco Benatto 2021-10-25 17:40:06 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 2017129]
Comment 4 Marco Benatto 2021-10-29 14:44:29 UTC 
Upstream patch for this issue:
https://github.com/php/php-src/commit/fadb1f8c1d08ae62b4f0a16917040fde57a3b93b
Comment 5 Marco Benatto 2021-11-03 13:20:03 UTC 
Currently PHP has a flaw on FPM scoreboard mechanism, which when leveraged by an attacker can lead to local privilege escalation. Currently PHP maintains several per-workers scoreboard related structures accessed indirectly by pointers to a shared memory mapping, if an attacker manage to escape FPM sandbox and overwrite those values it may gain control over these structures leading to a possible privilege escalation.
Such attack is high in complexity as, to be successful, the attacker needs to chain it with a sandbox escape exploit firstly or have access to the PHP host.
Comment 7 seferovic 2021-12-14 08:27:46 UTC 
Hi, any info on when an errata will be published for this flaw? TIA!
Comment 8 Jeremy Dreese 2022-02-28 13:17:21 UTC 
Can you please provide an update as to whether this will be fixed? Specifically, when do you expect this to be corrected in Red Hat Software Collections (rh-php73-php)? See https://access.redhat.com/security/cve/cve-2021-21703. Thank you!
Comment 9 errata-xmlrpc 2022-05-10 14:23:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1935 https://access.redhat.com/errata/RHSA-2022:1935
Comment 10 Product Security DevOps Team 2022-05-12 01:15:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21703
Comment 11 errata-xmlrpc 2022-07-04 07:43:16 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:5491 https://access.redhat.com/errata/RHSA-2022:5491
Note You need to log in before you can comment on or make changes to this bug.