Page MenuHomePhabricator
Create Task
Maniphest T294317

CVE-2021-21703: PHP-FPM worker priviledge escalation to root
Closed, ResolvedPublicSecurity
Actions

Description

We do run the master as root and are therefore affected:

legoktm@mw1430:~$ ps faux | grep fpm
root     12716  0.0  0.0 7402680 49808 ?       S<s  Oct20   0:25 php-fpm: master process (/etc/php/7.2/fpm/php-fpm.conf)
www-data 17881 10.5  3.5 8238884 3540912 ?     S<l  Oct24 182:42  \_ php-fpm: pool www
www-data 14363 10.2  3.6 8171456 3568268 ?     S<l  Oct24 177:02  \_ php-fpm: pool www
www-data 13638 10.3  3.6 8165012 3553316 ?     R<l  Oct24 179:15  \_ php-fpm: pool www
www-data 29854 10.2  3.6 8168904 3554264 ?     S<l  Oct24 175:22  \_ php-fpm: pool www
...

I already rebuilt the 7.4 packages, but we need to get a patch for 7.2 and roll it out.

Details

SubjectRepoBranchLines +/-
Rebuild PHP 7.2 and 7.3 imagesoperations/docker-images/production-imagesmaster+30 -0
Customize query in gerrit

Event Timeline

Legoktm created this task.Oct 25 2021, 11:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 25 2021, 11:31 PM
Legoktm added a subscriber: MoritzMuehlenhoff.Oct 25 2021, 11:31 PM
Reedy added a project: serviceops.Oct 25 2021, 11:37 PM
Jdforrester-WMF subscribed.Oct 25 2021, 11:44 PM
Krinkle subscribed.Oct 26 2021, 1:00 AM
Krinkle updated the task description. (Show Details)Oct 26 2021, 1:03 AM
LSobanski subscribed.Oct 26 2021, 10:41 AM
jbond subscribed.Oct 26 2021, 12:14 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Oct 26 2021, 6:58 PM
MoritzMuehlenhoff added a comment.Nov 1 2021, 1:17 PM

I'm currently working on updated 7.2 packages.

MoritzMuehlenhoff added a comment.Nov 1 2021, 3:00 PM

I backported the patch to our PHP 7.2 packages, ran a few smoke tests on mwdebug1001 and uploaded the build to apt.wikimedia.org. Version is 7.2.34-18+0~20210223.60+debian10~1.gbpb21322+wmf3

@Legoktm Can you or someone else from Serviceops take care of the production rollout?

Legoktm claimed this task.Nov 1 2021, 5:30 PM

Yep.

Legoktm added a subscriber: dancy.Nov 1 2021, 9:04 PM

I upgraded all the production docker images and @dancy took care of doing a full rebuild of the multiversion image. I upgraded all the Shellboxes as well. On appservers, I've upgraded all debug and canary servers, we can do the rest of the fleet on Wednesday (since Tuesday is a holiday).

Dzahn subscribed.Nov 2 2021, 12:25 AM

I upgraded parsoid-canary (scandium, wtp1025, wtp1026, parse2001, parse2002).

Dzahn added subscribers: Andrew, bd808.Nov 2 2021, 12:43 AM

Also upgraded cloudweb2001-dev.wikimedia.org after confirming with @bd808/@Andrew. This hosts https://labtestwikitech.wikimedia.org/wiki/Main_Page which is still up. So same here, canary done now. labweb1001/1002 on Wednesday, I suppose.

Legoktm closed this task as Resolved.Nov 3 2021, 9:23 PM

All hosts should be upgraded now (minus mw2280, which is down and being replaced)

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 30 2021, 6:13 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL