CVE-2021-21703
Description
RHSA-2022:1935: php:7.4 security update (Moderate)
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description php: Local privilege escalation via PHP-FPM Red Hat statement This vulnerability affects only systems with php-fpm enabled on its configuration. For an attack to be completed successfully, the attacker needs to chain this vulnerability with some other vulnerability that allows escape from the FPM sandbox first. CVSS v3: 6.4 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) Errata / fixedโฆ
Description
php: Local privilege escalation via PHP-FPM
Red Hat statement
This vulnerability affects only systems with php-fpm enabled on its configuration. For an attack to be completed successfully, the attacker needs to chain this vulnerability with some other vulnerability that allows escape from the FPM sandbox first.
CVSS v3: 6.4 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | php:7.4-8060020220120080432.0a326c83 | RHSA-2022:1935 | 2022-05-10T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-php73-php-0:7.3.33-1.el7 | RHSA-2022:5491 | 2022-07-04T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | php | Out of support scope |
| Red Hat Enterprise Linux 7 | php | Out of support scope |
| Red Hat Enterprise Linux 8 | php:7.3/php | Out of support scope |
| Red Hat Enterprise Linux 9 | php | Not affected |
Apply commands
yum update -y php:7
# or:
dnf upgrade -y php:7Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 9 | Not affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | php-process-7.4.19-2.module_el8.6.0+2750+78feabcb.aarch64.rpm |
Arch Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Fixed | 8.0.12-1 |
Debian Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| bullseye | Fixed | 7.4.25-1+deb11u1 |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
References
- https://www.suse.com/security/cve/CVE-2021-21703.html
- https://errata.rockylinux.org/RLSA-2022:1935
- https://security-tracker.debian.org/tracker/CVE-2021-21703
- https://access.redhat.com/errata/RHSA-2022:1935
- https://bugzilla.redhat.com/1978755
- https://bugzilla.redhat.com/2016535
- https://errata.almalinux.org/8/ALSA-2022-1935.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.