CVE-2021-21703 — HIGH (7.8)

Q: How severe is CVE-2021-21703?

CVE-2021-21703 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21703?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Debian Debian Linux, Fedoraproject Fedora, Netapp Clustered Data Ontap, Oracle Communications Diameter Signaling Router.

Vulnerability Description

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Php	Php	>= 7.3.0, <= 7.3.31
Debian	Debian Linux	9.0
Fedoraproject	Fedora	33
Netapp	Clustered Data Ontap	-
Oracle	Communications Diameter Signaling Router	>= 8.0.0.0, <= 8.5.0.2

Related Weaknesses (CWE)

CWE-284 CWE-787

References

http://www.openwall.com/lists/oss-security/2021/10/26/7Mailing ListPatchThird Party Advisory
https://bugs.php.net/bug.php?id=81026ExploitIssue TrackingPatch
https://lists.debian.org/debian-lts-announce/2021/10/msg00021.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202209-20Third Party Advisory
https://security.netapp.com/advisory/ntap-20211118-0003/Third Party Advisory
https://www.debian.org/security/2021/dsa-4992Third Party Advisory
https://www.debian.org/security/2021/dsa-4993Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchVendor Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchVendor Advisory
http://www.openwall.com/lists/oss-security/2021/10/26/7Mailing ListPatchThird Party Advisory
https://bugs.php.net/bug.php?id=81026ExploitIssue TrackingPatch
https://lists.debian.org/debian-lts-announce/2021/10/msg00021.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2021-21703?

CVE-2021-21703 is a vulnerability with a CVSS score of 7.8 (HIGH). In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running a...

How severe is CVE-2021-21703?

CVE-2021-21703 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21703?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Debian Debian Linux, Fedoraproject Fedora, Netapp Clustered Data Ontap, Oracle Communications Diameter Signaling Router.