commvault.com commvault.com
Solved

CVE-2021-21708 PHP Vulnerability

  • 9 March 2022
  • 8 replies
  • 478 views
S
Rank
Userlevel 3
Badge +8
  • Shane Commvault Certified Expert
  • Commvault Certified Expert
  • 74 replies

Hi all,

Is Commvault aware of the ‘new’ PHP vulnerability?

Received this from a customer:

 

Vulnerabilities details

Vulnerability Name CVE-2021-21708

Severity Critical

CVSS 9.8

Exposed devices 4

Affected products Php

 

https://nvd.nist.gov/vuln/detail/CVE-2021-21708

 

CVE-2021-21708 Detail

Current Description

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

icon

Best answer by Stuart Painter 9 March 2022, 13:43

View original
If you have a question or comment, please create a topic

8 replies

S
Rank
Userlevel 7
Badge +15

Hi @Shane 

CVE-2021-21708 affects PHP and I don’t believe we have any PHP implementations in Commvault.

I’ll double check internally, but I don’t think this one affects Commvault.

Thanks,

Stuart

Customer Support
S
Rank
Userlevel 3
Badge +8

Hi Stuart, it was picked up in a scan by the customer on the CS and the DR CS.

If it’s not used it’d be great if we can just uninstall/disable it.

S
Rank
Userlevel 7
Badge +15

Hi @Shane 

I’ll follow up on this internally, in the meantime are you able to send me any further details via private message?

Thanks,

Stuart

Customer Support
S
Rank
Userlevel 3
Badge +8

Hi Stuart, unfortunately this is all I have:

 

Vulnerabilities details

Vulnerability Name CVE-2021-21708

Severity Critical

CVSS 9.8

Exposed devices 4

Affected products Php

 

https://nvd.nist.gov/vuln/detail/CVE-2021-21708

 

CVE-2021-21708 Detail

Current Description

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

S
Rank
Userlevel 7
Badge +15

Hi @Shane 

The PHP folder on the Commserve can be deleted, this is not used and has now been removed from media.

Thanks,

Stuart

Customer Support
S
Rank
Userlevel 3
Badge +8

Thanks Stuart, I have asked for a rescan.

Will update.

S
Rank
Userlevel 3
Badge +8

The rescan came back clear, many thanks!

Damian Andre
Rank
Userlevel 7
Badge +23

The rescan came back clear, many thanks!

Awesome. I was scratching my head as I knew we didn't use PHP anywhere - I mean PHP is known for its ahem, security ‘elasticity’ shall we say :grin:

Terms & ConditionsCookie settings