Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Critical PHP-FPM Vulnerability
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Critical PHP-FPM Vulnerability

FoxelVoxFoxelVox Member
edited October 2021 in General

A 'new' (from may this year) privilege escalation exploit in PHP-FPM has been found by a security firm. More information about CVE-2021-21703:

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

DirectAdmin has already patches out it seems, just update with the standard way via custombuild.

For debian, please track the progress here: https://security-tracker.debian.org/tracker/CVE-2021-21703

The PHP team also announced that since PHP7.3 is close to being end of life, they will probably not be updating it and they will rely on third-party repomasters (like Ondrey) for keeping <php7.3 up to date.

Update asap people! :)

Comments

  • The bug report at php.net is from May, 10

    It is not a "new" bug at all, I believe. Still critical to patch though.

  • @gapper at that time it was indeed first discovered but patches are only rolling out since today.. :(.

  • @FoxelVox said:
    A 'new' (from may this year) privilege escalation exploit in PHP-FPM has been found by a security firm. More information about CVE-2021-21703:

    In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

    DirectAdmin has already patches out it seems, just update with the standard way via custombuild.

    For debian, please track the progress here: https://security-tracker.debian.org/tracker/CVE-2021-21703

    The PHP team also announced that since PHP7.3 is close to being end of life, they will probably not be updating it and they will rely on third-party repomasters (like Ondrey) for keeping <php7.3 up to date.

    Update asap people! :)

    Yeah, just updated my boxes a couple of hours ago. Thanks for sharing the info here as well.

    Thanked by 1FoxelVox
  • @FoxelVox said:
    @gapper at that time it was indeed first discovered but patches are only rolling out since today.. :(.

    Thank you, I will update it soon

  • @DA_Mark Is DA also going to provide updates for the <PHP7.3 versions with FPM handler? Maybe via a external repo or something like that?

  • NetDynamics24NetDynamics24 Member, Host Rep

    What about cpanel and/or Cloudlinux? Are they already patched?

  • Hey @NetDynamics24 ! I can't find any information on cPanel + php-fpm actually, not sure about that. Cloudlinux/LSPHP isn't affected by this issue it seems, it's only php-fpm related.

    I also already found my answer regarding DirectAdmin thanks to a colleague of mine; DirectAdmin + php-fpm already had patches out it seems if we look into the custombuild scripts:

            if [ "${INT_RELEASE}" = "7.1" ] || [ "${INT_RELEASE}" = "7.2" ] || [ "${INT_RELEASE}" = "7.3" ]; then
                    getFile patches/fpm_scoreboard_proc_oob_fix_v4.patch fpm_scoreboard_proc_oob_fix_v4.patch
            fi
    
            if [ "${INT_RELEASE}" = "7.0" ]; then
                    getFile patches/fpm_scoreboard_proc_oob_fix_v4_7.0.patch fpm_scoreboard_proc_oob_fix_v4_7.0.patch
            fi
    
            if [ "${INT_RELEASE}" = "5.6" ]; then
                    getFile patches/fpm_scoreboard_proc_oob_fix_v4_5.6.patch fpm_scoreboard_proc_oob_fix_v4_5.6.patch
            fi
    

    Nice job, DA team :). Now only some CentOS and Debian/Ubuntu versions left to patch.

    Thanked by 1raindog308
  • smtalksmtalk Member
    edited October 2021

    @FoxelVox said:
    I also already found my answer regarding DirectAdmin thanks to a colleague of mine;

    Yes, versions 5.6 and up are patched :smile:

    Thanked by 1FoxelVox
  • @smtalk said:

    @FoxelVox said:
    I also already found my answer regarding DirectAdmin thanks to a colleague of mine;

    Yes, versions 5.6 and up are patched :smile:

    You're a legend Martynas, thanks :)

    Thanked by 1smtalk
  • FoxelVoxFoxelVox Member
    edited October 2021

    Ok so, Ubuntu also released their mailing. Looks like they updated even PHP5-fpm under the Extended Security Maintenance license which is nice :). They also fixed it for 7.2 in 18.04 LTS.


    Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: php8.0-fpm 8.0.8-1ubuntu0.1 Ubuntu 21.04: php7.4-fpm 7.4.16-1ubuntu2.2 Ubuntu 20.04 LTS: php7.4-fpm 7.4.3-4ubuntu2.7 Ubuntu 18.04 LTS: php7.2-fpm 7.2.24-0ubuntu0.18.04.10 Ubuntu 16.04 ESM: php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm2 Ubuntu 14.04 ESM: php5-fpm 5.5.9+dfsg-1ubuntu4.29+esm15 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5125-1 CVE-2021-21703 Package Information: https://launchpad.net/ubuntu/+source/php8.0/8.0.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/php7.4/7.4.16-1ubuntu2.2 https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.7 https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.10
  • @FoxelVox said:
    Ok so, Ubuntu also released their mailing. Looks like they updated even PHP5-fpm under the Extended Security Maintenance license which is nice :). They also fixed it for 7.2 in 18.04 LTS.


    Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: php8.0-fpm 8.0.8-1ubuntu0.1 Ubuntu 21.04: php7.4-fpm 7.4.16-1ubuntu2.2 Ubuntu 20.04 LTS: php7.4-fpm 7.4.3-4ubuntu2.7 Ubuntu 18.04 LTS: php7.2-fpm 7.2.24-0ubuntu0.18.04.10 Ubuntu 16.04 ESM: php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm2 Ubuntu 14.04 ESM: php5-fpm 5.5.9+dfsg-1ubuntu4.29+esm15 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5125-1 CVE-2021-21703 Package Information: https://launchpad.net/ubuntu/+source/php8.0/8.0.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/php7.4/7.4.16-1ubuntu2.2 https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.7 https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.10

    So they are not patching php7.3??

    Thats disappointing..

  • DecicusDecicus Member
    edited October 2021

    @NobodyInteresting said:

    @FoxelVox said:
    Ok so, Ubuntu also released their mailing. Looks like they updated even PHP5-fpm under the Extended Security Maintenance license which is nice :). They also fixed it for 7.2 in 18.04 LTS.


    Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: php8.0-fpm 8.0.8-1ubuntu0.1 Ubuntu 21.04: php7.4-fpm 7.4.16-1ubuntu2.2 Ubuntu 20.04 LTS: php7.4-fpm 7.4.3-4ubuntu2.7 Ubuntu 18.04 LTS: php7.2-fpm 7.2.24-0ubuntu0.18.04.10 Ubuntu 16.04 ESM: php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm2 Ubuntu 14.04 ESM: php5-fpm 5.5.9+dfsg-1ubuntu4.29+esm15 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5125-1 CVE-2021-21703 Package Information: https://launchpad.net/ubuntu/+source/php8.0/8.0.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/php7.4/7.4.16-1ubuntu2.2 https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.7 https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.10

    So they are not patching php7.3??

    Thats disappointing..

    I'm guessing it's because PHP 7.3 was never part of any LTS release and isn't in any currently supported Ubuntu release (I assume they might've been part of Ubuntu 19.xx, but those are all EOL).

    Though it seems that Ondřej Surý's repo has gotten the patch for 7.3 (as well as other PHP versions)

Sign In or Register to comment.