Vulnerability CVE-2021-21703

Vulnerability Name:

CVE-2021-21703 (CCN-212017)

Assigned:

2021-10-20

Published:

2021-10-20

Updated:

2022-10-29

Summary:

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

CVSS v3 Severity:

7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

6.4 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
5.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): High User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.0 Medium (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-787
CWE-119

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2021-21703

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[oss-security] 20211026 CVE-2021-21703: PHP-FPM 5.3.7 <= 8.0.12 Local Root

Source: CCN
Type: PHP Sec Bug #81026
PHP-FPM oob R/W in root process leading to privilege escalation

Source: MISC
Type: Exploit, Issue Tracking, Patch, Vendor Advisory
https://bugs.php.net/bug.php?id=81026

Source: XF
Type: UNKNOWN
php-cve202121703-priv-esc(212017)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20211027 [SECURITY] [DLA 2794-1] php7.0 security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-02d218c3be

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-9f68f5f752

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-4140b54de2

Source: GENTOO
Type: Third Party Advisory
GLSA-202209-20

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20211118-0003/

Source: DEBIAN
Type: Third Party Advisory
DSA-4992

Source: DEBIAN
Type: Third Party Advisory
DSA-4993

Source: CCN
Type: IBM Security Bulletin 6845928 (Spectrum Sentinel Anomaly Scan Engine)
Vulnerabilities in PHP may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2021-21703, CVE-2021-21708, CVE-2021-21707, CVE-2022-31629, CVE-2022-31628)

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Patch, Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: PHP Web site
PHP

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-21703

Vulnerable Configuration:

Configuration 1:

cpe:/a:php:php:*:*:*:*:*:*:*:* (Version >= 7.3.0 and <= 7.3.31)

OR cpe:/a:php:php:*:*:*:*:*:*:*:* (Version >= 7.4.0 and < 7.4.25)

OR cpe:/a:php:php:*:*:*:*:*:*:*:* (Version >= 8.0.0 and < 8.0.12)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

Configuration 5:

cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.5.0.2)

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:php:php:7.4.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.3.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:8.0.0:-:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8169	P	Security update for SUSE Manager Client Tools (Important)	2023-06-21
oval:org.opensuse.security:def:8189	P	Security update for google-cloud-sap-agent (Important) (in QA)	2023-06-20
oval:org.opensuse.security:def:7499	P	fuse-2.9.7-3.3.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7454	P	btrfsmaintenance-0.4.2-3.3.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:8075	P	apache2-mod_php7-7.4.33-150400.4.22.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:619	P	Security update for php8 (Important) (in QA)	2022-10-03
oval:org.opensuse.security:def:3434	P	apache2-mod_perl-2.0.8-11.43 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95064	P	apache2-mod_php7-7.4.25-150400.2.8 on GA media (Moderate)	2022-06-22
oval:com.redhat.rhsa:def:20221935	P	RHSA-2022:1935: php:7.4 security update (Moderate)	2022-05-10
oval:org.opensuse.security:def:102174	P	Security update for SUSE Manager Server 4.2 (Moderate)	2022-04-25
oval:org.opensuse.security:def:113134	P	php7-7.4.25-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:113138	P	php8-8.0.12-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:111162	P	Recommended update for php7 (Moderate)	2021-12-10
oval:org.opensuse.security:def:67002	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:102824	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:69258	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:76413	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:5913	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:118586	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:108840	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:1498	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:96134	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:67345	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:111820	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:102078	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:69278	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:6256	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:109258	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:1712	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:68543	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:102272	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:95461	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:109490	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:102592	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:68588	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:76070	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:118343	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:95879	P	Recommended update for php7 (Moderate)	2021-12-06
oval:org.opensuse.security:def:20985	P	Security update for php72 (Moderate)	2021-11-19
oval:org.opensuse.security:def:5154	P	Security update for php72 (Moderate)	2021-11-19
oval:org.opensuse.security:def:49456	P	Security update for php72 (Moderate)	2021-11-19
oval:org.opensuse.security:def:26167	P	Security update for php72 (Moderate)	2021-11-19
oval:org.opensuse.security:def:20984	P	Security update for php74 (Moderate)	2021-11-18
oval:org.opensuse.security:def:5153	P	Security update for php74 (Moderate)	2021-11-18
oval:org.opensuse.security:def:49455	P	Security update for php74 (Moderate)	2021-11-18
oval:org.opensuse.security:def:26166	P	Security update for php74 (Moderate)	2021-11-18

BACK