CVE-2021-21703: 
PHP vulnerability analysis and mitigation

CVE-2021-21703 affects PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12. When running PHP-FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes. The vulnerability was discovered in May 2021 and publicly disclosed in October 2021 (PHP Bug).

The vulnerability exists in PHP-FPM's scoreboard mechanism where each worker has an associated scoreboard structure containing PID, state and stats information stored in shared memory. The main process controls a scoreboard structure containing pointers to worker scoreboards, also located in shared memory. Since these pointers are in shared memory, they can be modified by worker processes to make the root process read/write at arbitrary locations. The vulnerability has a CVSS score of 7.0 (High) with vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability allows a low-privilege user (such as www-data) to escalate privileges to root by manipulating shared memory pointers used by the PHP-FPM master process. This affects most installations where PHP-FPM runs with its main process as root, which is the default configuration in many Linux distributions (PHP Bug).

The vulnerability is fixed in PHP versions 7.4.25, 8.0.12 and later. Users should upgrade to these versions or later. The fix involves changing the scoreboard structure to eliminate access through pointers and modifying how the scoreboard is retrieved in the master process. For systems that cannot be immediately upgraded, restricting shell access and prohibiting program execution functions (exec, system, etc.) may help reduce the risk (PHP Bug, Debian Security).

The vulnerability was initially rated as medium severity by PHP maintainers but was later upgraded to high severity after security researchers emphasized its impact. Multiple Linux distributions issued security advisories and patches, including Debian (DSA-4992-1, DSA-4993-1), Fedora, and others. The security community noted this vulnerability's significance as it could turn many PHP-FPM remote code execution vulnerabilities into potential root compromises (PHP Bug).