CVE-2021-21708 PHP Vulnerability

Hi @Shane 

CVE-2021-21708 affects PHP and I don’t believe we have any PHP implementations in Commvault.

I’ll double check internally, but I don’t think this one affects Commvault.

Thanks,

Stuart

Hi Stuart, it was picked up in a scan by the customer on the CS and the DR CS.

If it’s not used it’d be great if we can just uninstall/disable it.

Hi @Shane 

I’ll follow up on this internally, in the meantime are you able to send me any further details via private message?

Thanks,

Stuart

Hi Stuart, unfortunately this is all I have:

Vulnerabilities details

Vulnerability Name CVE-2021-21708

Severity Critical

CVSS 9.8

Exposed devices 4

Affected products Php

https://nvd.nist.gov/vuln/detail/CVE-2021-21708

CVE-2021-21708 Detail

Current Description

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

Thanks Stuart, I have asked for a rescan.

Will update.

The rescan came back clear, many thanks!

Awesome. I was scratching my head as I knew we didn't use PHP anywhere - I mean PHP is known for its ahem, security ‘elasticity’ shall we say