- CVE-2021-21703 was discovered In PHP versions 7.3.x including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12.
- The vulnerability affects only PHP running in PHP-FPM mode.
When running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.
Call to action
Fixes for PHP versions 5.6, 7.0, 7.1, 7.2, 7.3, 7.4, and 8.0 supplied by Plesk via Tools & Settings > Updates.
The fixes are only available for the supported operating systems.
PHP versions including fixes were released starting from October 2021. Therefore builds with the timestamp 2110 and higher are containing the fix already. It can be checked following the next steps:
- Connect to the server via SSH
- Check the package build versions using the next commands:
On the Debian-based OS:
# dpkg -l | grep "plesk-php..\ "
ii plesk-php73 1:7.3.32-ubuntu.20.04.211028.1754 amd64 PHP scripting language for creating dynamic web sites
ii plesk-php74 7.4.25-ubuntu.20.04.211025.1356 amd64 PHP scripting language for creating dynamic web sites
On the RedHat based OS:
# yum list installed | grep "php..\.x86_64"
plesk-php56.x86_64 5.6.40-centos7.21111012 @PLESK_17_PHP56
plesk-php70.x86_64 7.0.33-centos7.21110918 @PLESK_17_PHP70
plesk-php71.x86_64 7.1.33-1centos.7.211108.1944 @PLESK_17_PHP71
plesk-php72.x86_64 1:7.2.34-1centos.7.211108.1944 @PLESK_17_PHP72
plesk-php73.x86_64 1:7.3.32-1centos.7.211028.1754 @PLESK_17_PHP73
plesk-php74.x86_64 7.4.25-1centos.7.211025.1356 @PLESK_17_PHP74
plesk-php80.x86_64 8.0.12-1centos.7.211025.1356 @PLESK_17_PHP80