Platform
php
Component
php
Fixed in
7.3.32
7.4.25
8.0.12
CVE-2021-21703 is a privilege escalation vulnerability in PHP FPM SAPI. When running PHP FPM with a root daemon and lower-privileged workers, child processes can modify shared memory, causing the root process to perform invalid memory operations, potentially escalating privileges to root. This affects PHP versions 7.3.0 through 7.3.31, 7.4.x before 7.4.25, and 8.0.x before 8.0.12. The vulnerability is fixed in PHP version 8.0.12.
CVE-2021-21703 is a privilege escalation vulnerability in PHP affecting specific versions of PHP FPM (FastCGI Process Manager). If your PHP FPM server is configured with the main daemon process running as root and child worker processes running as lower-privileged users, a local attacker could exploit this vulnerability. The vulnerability lies in how child processes can access and modify shared memory with the root process, allowing for the execution of arbitrary code with root privileges. Affected versions include PHP 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25, and 8.0.x below 8.0.12. The CVSS severity score is 7.8, indicating a high risk. This vulnerability is particularly concerning in shared hosting environments where multiple users share the same server.
Exploitation of CVE-2021-21703 requires local access to the system. An attacker needs to be able to execute code on the affected system. The vulnerability is based on the ability of PHP FPM child processes to manipulate shared memory with the root process. This can be achieved by crafting a payload that exploits how PHP FPM handles shared memory, allowing the attacker to write data to memory areas that would normally be inaccessible. The complexity of exploitation can vary depending on the specific system configuration and the payload used. The absence of a KEV (Kernel Exploitability Vulnerability) indicates that the vulnerability is not considered easily exploitable at the kernel level, but it remains a significant risk due to the privilege escalation.
Exploit Status
EPSS
0.13% (33% percentile)
CVSS Vector
The primary mitigation for CVE-2021-21703 is to upgrade to a PHP version that has addressed the vulnerability. Affected versions are PHP 8.0.12 or higher, PHP 7.4.25 or higher, and PHP 7.3.31 or higher. If immediate upgrading is not possible, consider taking temporary measures such as avoiding running PHP FPM as root. This may involve changing the user under which the main daemon process runs to a user with limited privileges. It’s also crucial to review your PHP FPM configuration to ensure there are no unnecessary settings that could increase the risk of exploitation. Implementing an Intrusion Detection System (IDS) can help identify exploitation attempts.
Update to PHP version 7.4.25 or higher, or to version 8.0.12 or higher. This corrects the vulnerability that allows privilege escalation.
Vulnerability analysis and critical alerts directly to your inbox.
PHP FPM (FastCGI Process Manager) is a process manager for PHP that improves performance and security compared to other PHP execution methods.
Yes, it is generally necessary to restart the web server (e.g., Apache or Nginx) and the PHP FPM service after updating PHP for the changes to take effect.
If you cannot upgrade PHP immediately, consider running PHP FPM as a non-root user as a temporary measure. However, this may impact performance and compatibility.
You can check your PHP version by running the command php -v in the command line.
You can find more information about CVE-2021-21703 on the NVD (National Vulnerability Database) and on the PHP website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.