CVE-2021-21703 : In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x b

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

Published 2021-10-25 06:15:07

Updated 2022-10-29 02:44:24

Source PHP Group

View at NVD, CVE.org

Vulnerability category: Memory CorruptionBypassGain privilege

Products affected by CVE-2021-21703

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
PHP » PHP
Versions from including (>=) 8.0.0 and before (<) 8.0.12
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Matching versions
PHP » PHP
Versions from including (>=) 7.3.0 and up to, including, (<=) 7.3.31
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Matching versions
PHP » PHP
Versions from including (>=) 7.4.0 and before (<) 7.4.25
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Diameter Signaling Router
Versions from including (>=) 8.0.0.0 and up to, including, (<=) 8.5.0.2
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Netapp » Clustered Data Ontap » Version: N/A
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2021-21703

Top countries where our scanners detected CVE-2021-21703

Top open port discovered on systems with this issue 80

IPs affected by CVE-2021-21703 261,763

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2021-21703!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2021-21703

EPSS FAQ

0.31%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-21703

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.0	HIGH	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.0	5.9	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H	1.1	6.0	PHP Group
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-21703

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: security@php.net (Secondary)
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.
Assigned by:
- nvd@nist.gov (Primary)
- security@php.net (Secondary)

References for CVE-2021-21703

https://www.debian.org/security/2021/dsa-4992

Debian -- Security Information -- DSA-4992-1 php7.4
Third Party Advisory
https://security.gentoo.org/glsa/202209-20

PHP: Multiple Vulnerabilities (GLSA 202209-20) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20211118-0003/

CVE-2021-21703 PHP Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBM3KKB3RY2YPOKNMC4HIH7IH3T3WC74/

[SECURITY] Fedora 33 Update: php-7.4.25-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Vendor Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Vendor Advisory

CVEs referencing this url
https://www.debian.org/security/2021/dsa-4993

Debian -- Security Information -- DSA-4993-1 php7.3
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JO5RA6YOBGGGKLIA6F6BQRZDDECF5L3R/

[SECURITY] Fedora 34 Update: php-7.4.25-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://bugs.php.net/bug.php?id=81026

PHP :: Sec Bug #81026 :: PHP-FPM oob R/W in root process leading to privilege escalation
Exploit;Issue Tracking;Patch;Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/10/26/7

oss-security - CVE-2021-21703: PHP-FPM 5.3.7 <= 8.0.12 Local Root
Mailing List;Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PZVLICZUJMXOGWOUWSBAEGIVTF6Y6V3/

[SECURITY] Fedora 35 Update: php-8.0.12-2.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00021.html

[SECURITY] [DLA 2794-1] php7.0 security update
Mailing List;Third Party Advisory