Skip to main content
Solved

CVE-2021-21708 PHP Vulnerability


Forum|alt.badge.img+8
  • Commvault Certified Expert
  • 74 replies

Hi all,

Is Commvault aware of the ‘new’ PHP vulnerability?

Received this from a customer:

 

Vulnerabilities details

Vulnerability Name CVE-2021-21708

Severity Critical

CVSS 9.8

Exposed devices 4

Affected products Php

 

https://nvd.nist.gov/vuln/detail/CVE-2021-21708

 

CVE-2021-21708 Detail

Current Description

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

Best answer by Stuart Painter

Hi @Shane 

The PHP folder on the Commserve can be deleted, this is not used and has now been removed from media.

Thanks,

Stuart

View original
Did this answer your question?
If you have a question or comment, please create a topic

8 replies

Forum|alt.badge.img+15

Hi @Shane 

CVE-2021-21708 affects PHP and I don’t believe we have any PHP implementations in Commvault.

I’ll double check internally, but I don’t think this one affects Commvault.

Thanks,

Stuart


Forum|alt.badge.img+8
  • Author
  • Commvault Certified Expert
  • 74 replies
  • March 9, 2022

Hi Stuart, it was picked up in a scan by the customer on the CS and the DR CS.

If it’s not used it’d be great if we can just uninstall/disable it.


Forum|alt.badge.img+15

Hi @Shane 

I’ll follow up on this internally, in the meantime are you able to send me any further details via private message?

Thanks,

Stuart


Forum|alt.badge.img+8
  • Author
  • Commvault Certified Expert
  • 74 replies
  • March 9, 2022

Hi Stuart, unfortunately this is all I have:

 

Vulnerabilities details

Vulnerability Name CVE-2021-21708

Severity Critical

CVSS 9.8

Exposed devices 4

Affected products Php

 

https://nvd.nist.gov/vuln/detail/CVE-2021-21708

 

CVE-2021-21708 Detail

Current Description

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.


Forum|alt.badge.img+15

Hi @Shane 

The PHP folder on the Commserve can be deleted, this is not used and has now been removed from media.

Thanks,

Stuart


Forum|alt.badge.img+8
  • Author
  • Commvault Certified Expert
  • 74 replies
  • March 10, 2022

Thanks Stuart, I have asked for a rescan.

Will update.


Forum|alt.badge.img+8
  • Author
  • Commvault Certified Expert
  • 74 replies
  • March 14, 2022

The rescan came back clear, many thanks!


Damian Andre
Vaulter
Forum|alt.badge.img+23
Shane wrote:

The rescan came back clear, many thanks!

Awesome. I was scratching my head as I knew we didn't use PHP anywhere - I mean PHP is known for its ahem, security ‘elasticity’ shall we say :grin:


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings