CVE-2021-21703
Description
Moderate: php:7.4 security update
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description php: Local privilege escalation via PHP-FPM Red Hat statement This vulnerability affects only systems with php-fpm enabled on its configuration. For an attack to be completed successfully, the attacker needs to chain this vulnerability with some other vulnerability that allows escape from the FPM sandbox first. CVSS v3: 6.4 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) Errata / fixed…
Description
php: Local privilege escalation via PHP-FPM
Red Hat statement
This vulnerability affects only systems with php-fpm enabled on its configuration. For an attack to be completed successfully, the attacker needs to chain this vulnerability with some other vulnerability that allows escape from the FPM sandbox first.
CVSS v3: 6.4 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | php:7.4-8060020220120080432.0a326c83 | RHSA-2022:1935 | 2022-05-10T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-php73-php-0:7.3.33-1.el7 | RHSA-2022:5491 | 2022-07-04T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | php | Out of support scope |
| Red Hat Enterprise Linux 7 | php | Out of support scope |
| Red Hat Enterprise Linux 8 | php:7.3/php | Out of support scope |
| Red Hat Enterprise Linux 9 | php | Not affected |
Apply commands
yum update -y php:7
# or:
dnf upgrade -y php:7Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 9 | Not affected |
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 8.0.12-1 | |
| sles | affected | | |
| rocky | 8 | fixed | |
| debian | bullseye | fixed | 7.4.25-1+deb11u1 |
| almalinux | 8 | fixed | php-process-7.4.19-2.module_el8.6.0+2750+78feabcb.aarch64.rpm |
References
- https://www.suse.com/security/cve/CVE-2021-21703.html
- https://errata.rockylinux.org/RLSA-2022:1935
- https://security-tracker.debian.org/tracker/CVE-2021-21703
- https://access.redhat.com/errata/RHSA-2022:1935
- https://bugzilla.redhat.com/1978755
- https://bugzilla.redhat.com/2016535
- https://errata.almalinux.org/8/ALSA-2022-1935.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.