Page MenuHomePhabricator

CVE-2021-21703: PHP-FPM worker priviledge escalation to root
Closed, ResolvedPublicSecurity


We do run the master as root and are therefore affected:

legoktm@mw1430:~$ ps faux | grep fpm
root     12716  0.0  0.0 7402680 49808 ?       S<s  Oct20   0:25 php-fpm: master process (/etc/php/7.2/fpm/php-fpm.conf)
www-data 17881 10.5  3.5 8238884 3540912 ?     S<l  Oct24 182:42  \_ php-fpm: pool www
www-data 14363 10.2  3.6 8171456 3568268 ?     S<l  Oct24 177:02  \_ php-fpm: pool www
www-data 13638 10.3  3.6 8165012 3553316 ?     R<l  Oct24 179:15  \_ php-fpm: pool www
www-data 29854 10.2  3.6 8168904 3554264 ?     S<l  Oct24 175:22  \_ php-fpm: pool www

I already rebuilt the 7.4 packages, but we need to get a patch for 7.2 and roll it out.

Event Timeline

I'm currently working on updated 7.2 packages.

I backported the patch to our PHP 7.2 packages, ran a few smoke tests on mwdebug1001 and uploaded the build to Version is 7.2.34-18+0~20210223.60+debian10~1.gbpb21322+wmf3

@Legoktm Can you or someone else from Serviceops take care of the production rollout?

I upgraded all the production docker images and @dancy took care of doing a full rebuild of the multiversion image. I upgraded all the Shellboxes as well. On appservers, I've upgraded all debug and canary servers, we can do the rest of the fleet on Wednesday (since Tuesday is a holiday).

I upgraded parsoid-canary (scandium, wtp1025, wtp1026, parse2001, parse2002).

Also upgraded after confirming with @bd808/@Andrew. This hosts which is still up. So same here, canary done now. labweb1001/1002 on Wednesday, I suppose.

All hosts should be upgraded now (minus mw2280, which is down and being replaced)

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 30 2021, 6:13 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".