Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Critical PHP-FPM Vulnerability
New on LowEndTalk? Please Register and read our Community Rules.

Critical PHP-FPM Vulnerability

FoxelVoxFoxelVox Member
edited October 2021 in General

A 'new' (from may this year) privilege escalation exploit in PHP-FPM has been found by a security firm. More information about CVE-2021-21703:

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

DirectAdmin has already patches out it seems, just update with the standard way via custombuild.

For debian, please track the progress here: https://security-tracker.debian.org/tracker/CVE-2021-21703

The PHP team also announced that since PHP7.3 is close to being end of life, they will probably not be updating it and they will rely on third-party repomasters (like Ondrey) for keeping <php7.3 up to date.

Update asap people! :)

Thanked by 8K4Y5 Decicus NetDynamics24 steny raindog308 ahnlak friendhosting desperand

Comments

  • gappergapper Member

    The bug report at php.net is from May, 10

    It is not a "new" bug at all, I believe. Still critical to patch though.

  • FoxelVoxFoxelVox Member

    @gapper at that time it was indeed first discovered but patches are only rolling out since today.. :(.

  • K4Y5K4Y5 Member

    @FoxelVox said:
    A 'new' (from may this year) privilege escalation exploit in PHP-FPM has been found by a security firm. More information about CVE-2021-21703:

    In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

    DirectAdmin has already patches out it seems, just update with the standard way via custombuild.

    For debian, please track the progress here: https://security-tracker.debian.org/tracker/CVE-2021-21703

    The PHP team also announced that since PHP7.3 is close to being end of life, they will probably not be updating it and they will rely on third-party repomasters (like Ondrey) for keeping <php7.3 up to date.

    Update asap people! :)

    Yeah, just updated my boxes a couple of hours ago. Thanks for sharing the info here as well.

    Thanked by 1FoxelVox
  • JackcoolJackcool Member

    @FoxelVox said:
    @gapper at that time it was indeed first discovered but patches are only rolling out since today.. :(.

    Thank you, I will update it soon

  • FoxelVoxFoxelVox Member

    @DA_Mark Is DA also going to provide updates for the <PHP7.3 versions with FPM handler? Maybe via a external repo or something like that?

  • NetDynamics24NetDynamics24 Member, Host Rep

    What about cpanel and/or Cloudlinux? Are they already patched?

  • FoxelVoxFoxelVox Member

    Hey @NetDynamics24 ! I can't find any information on cPanel + php-fpm actually, not sure about that. Cloudlinux/LSPHP isn't affected by this issue it seems, it's only php-fpm related.

    I also already found my answer regarding DirectAdmin thanks to a colleague of mine; DirectAdmin + php-fpm already had patches out it seems if we look into the custombuild scripts:

            if [ "${INT_RELEASE}" = "7.1" ] || [ "${INT_RELEASE}" = "7.2" ] || [ "${INT_RELEASE}" = "7.3" ]; then
                getFile patches/fpm_scoreboard_proc_oob_fix_v4.patch fpm_scoreboard_proc_oob_fix_v4.patch
        fi

        if [ "${INT_RELEASE}" = "7.0" ]; then
                getFile patches/fpm_scoreboard_proc_oob_fix_v4_7.0.patch fpm_scoreboard_proc_oob_fix_v4_7.0.patch
        fi

        if [ "${INT_RELEASE}" = "5.6" ]; then
                getFile patches/fpm_scoreboard_proc_oob_fix_v4_5.6.patch fpm_scoreboard_proc_oob_fix_v4_5.6.patch
        fi

    Nice job, DA team :). Now only some CentOS and Debian/Ubuntu versions left to patch.

    Thanked by 1raindog308
  • smtalksmtalk Member
    edited October 2021

    @FoxelVox said:
    I also already found my answer regarding DirectAdmin thanks to a colleague of mine;

    Yes, versions 5.6 and up are patched :smile:

    Thanked by 1FoxelVox
  • FoxelVoxFoxelVox Member

    @smtalk said:

    @FoxelVox said:
    I also already found my answer regarding DirectAdmin thanks to a colleague of mine;

    Yes, versions 5.6 and up are patched :smile:

    You're a legend Martynas, thanks :)

    Thanked by 1smtalk
  • FoxelVoxFoxelVox Member
    edited October 2021

    Ok so, Ubuntu also released their mailing. Looks like they updated even PHP5-fpm under the Extended Security Maintenance license which is nice :). They also fixed it for 7.2 in 18.04 LTS.


    Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
php8.0-fpm 8.0.8-1ubuntu0.1

Ubuntu 21.04:
php7.4-fpm 7.4.16-1ubuntu2.2

Ubuntu 20.04 LTS:
php7.4-fpm 7.4.3-4ubuntu2.7

Ubuntu 18.04 LTS:
php7.2-fpm 7.2.24-0ubuntu0.18.04.10

Ubuntu 16.04 ESM:
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm2

Ubuntu 14.04 ESM:
php5-fpm 5.5.9+dfsg-1ubuntu4.29+esm15

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5125-1
CVE-2021-21703

Package Information:
https://launchpad.net/ubuntu/+source/php8.0/8.0.8-1ubuntu0.1
https://launchpad.net/ubuntu/+source/php7.4/7.4.16-1ubuntu2.2
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.7
https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.10
  • NobodyInterestingNobodyInteresting Member

    @FoxelVox said:
    Ok so, Ubuntu also released their mailing. Looks like they updated even PHP5-fpm under the Extended Security Maintenance license which is nice :). They also fixed it for 7.2 in 18.04 LTS.


    Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
php8.0-fpm 8.0.8-1ubuntu0.1

Ubuntu 21.04:
php7.4-fpm 7.4.16-1ubuntu2.2

Ubuntu 20.04 LTS:
php7.4-fpm 7.4.3-4ubuntu2.7

Ubuntu 18.04 LTS:
php7.2-fpm 7.2.24-0ubuntu0.18.04.10

Ubuntu 16.04 ESM:
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm2

Ubuntu 14.04 ESM:
php5-fpm 5.5.9+dfsg-1ubuntu4.29+esm15

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5125-1
CVE-2021-21703

Package Information:
https://launchpad.net/ubuntu/+source/php8.0/8.0.8-1ubuntu0.1
https://launchpad.net/ubuntu/+source/php7.4/7.4.16-1ubuntu2.2
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.7
https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.10

    So they are not patching php7.3??

    Thats disappointing..

  • DecicusDecicus Member
    edited October 2021

    @NobodyInteresting said:

    @FoxelVox said:
    Ok so, Ubuntu also released their mailing. Looks like they updated even PHP5-fpm under the Extended Security Maintenance license which is nice :). They also fixed it for 7.2 in 18.04 LTS.


    Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
php8.0-fpm 8.0.8-1ubuntu0.1

Ubuntu 21.04:
php7.4-fpm 7.4.16-1ubuntu2.2

Ubuntu 20.04 LTS:
php7.4-fpm 7.4.3-4ubuntu2.7

Ubuntu 18.04 LTS:
php7.2-fpm 7.2.24-0ubuntu0.18.04.10

Ubuntu 16.04 ESM:
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm2

Ubuntu 14.04 ESM:
php5-fpm 5.5.9+dfsg-1ubuntu4.29+esm15

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5125-1
CVE-2021-21703

Package Information:
https://launchpad.net/ubuntu/+source/php8.0/8.0.8-1ubuntu0.1
https://launchpad.net/ubuntu/+source/php7.4/7.4.16-1ubuntu2.2
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.7
https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.10

    So they are not patching php7.3??

    Thats disappointing..

    I'm guessing it's because PHP 7.3 was never part of any LTS release and isn't in any currently supported Ubuntu release (I assume they might've been part of Ubuntu 19.xx, but those are all EOL).

    Though it seems that Ondřej Surý's repo has gotten the patch for 7.3 (as well as other PHP versions)

    Thanked by 2NobodyInteresting FoxelVox
  • NobodyInterestingNobodyInteresting Member

    Seems like Debian has patched 7.3:
    https://www.debian.org/security/2021/dsa-4993

Sign In or Register to comment.