On October 19, 2021, we have enabled single-sign-on for our Plesk Support Center to provide a seamless login/account experience. This implies that you’ll be able to use a single account across any of our web-facing properties.
If you had already registered your account at Plesk 360 (formerly known as My Plesk) please use one for login. Otherwise please re-register it using the same email address as your existing Zendesk login (support account). It’s essential that you use the same email address on our support center to ensure that your tickets stay attached to the same account.

Articles in this section

See more

CVE-2021-21703: Vulnerability in PHP-FPM

Avatar
Stefan Yakubov
Updated
Follow
Plesk kb: technical

Situation

  • CVE-2021-21703 was discovered In PHP versions 7.3.x including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12.
  • The vulnerability affects only PHP running in PHP-FPM mode.

Impact

When running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

Call to action

Fixes for PHP versions 5.6, 7.0, 7.1, 7.2, 7.3, 7.4, and 8.0 supplied by Plesk via Tools & Settings > Updates.

The fixes are only available for the supported operating systems.

 

How to check if PHP version on a server is updated to the secured one?

PHP versions including fixes were released starting from October 2021. Therefore builds with the timestamp 2110 and higher are containing the fix already. It can be checked following the next steps: 

  1. Connect to the server via SSH
  2. Check the package build versions using the next commands:
    On the Debian-based OS:

    # dpkg -l | grep "plesk-php..\ "
    ii plesk-php73 1:7.3.32-ubuntu.20.04.211028.1754 amd64 PHP scripting language for creating dynamic web sites
    ii plesk-php74 7.4.25-ubuntu.20.04.211025.1356 amd64 PHP scripting language for creating dynamic web sites

    On the RedHat based OS:

    # yum list installed | grep "php..\.x86_64"
    plesk-php56.x86_64 5.6.40-centos7.21111012 @PLESK_17_PHP56
    plesk-php70.x86_64 7.0.33-centos7.21110918 @PLESK_17_PHP70
    plesk-php71.x86_64 7.1.33-1centos.7.211108.1944 @PLESK_17_PHP71
    plesk-php72.x86_64 1:7.2.34-1centos.7.211108.1944 @PLESK_17_PHP72
    plesk-php73.x86_64 1:7.3.32-1centos.7.211028.1754 @PLESK_17_PHP73
    plesk-php74.x86_64 7.4.25-1centos.7.211025.1356 @PLESK_17_PHP74
    plesk-php80.x86_64 8.0.12-1centos.7.211025.1356 @PLESK_17_PHP80

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles