Bug 1188037 - (CVE-2021-21705) VUL-0: CVE-2021-21705: php5,php7,php72,php74,php53: SSRF bypass in FILTER_VALIDATE_URL
(CVE-2021-21705)
VUL-0: CVE-2021-21705: php5,php7,php72,php74,php53: SSRF bypass in FILTER_VAL...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/303435/
CVSSv3.1:SUSE:CVE-2021-21705:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-06 12:10 UTC by Robert Frohl
Modified: 2021-08-10 13:48 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-07-06 12:10:22 UTC
rh#1978755

A security issue was found in PHP in the way it allows to bypass the FILTER_VALIDATE_URL check via a crafted URL which may lead to SSRF.

Reference:
https://bugs.php.net/bug.php?id=81122

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1978755
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21705
Comment 1 Robert Frohl 2021-07-06 13:51:51 UTC
tracking as affected:


- SUSE:SLE-11:Update/php5
- SUSE:SLE-12:Update/php5

- SUSE:SLE-11-SP3:Update/php53

- SUSE:SLE-12:Update/php7
- SUSE:SLE-15:Update/php7
- SUSE:SLE-15-SP2:Update/php7

- SUSE:SLE-12:Update/php72

- SUSE:SLE-12:Update/php74
Comment 2 Robert Frohl 2021-07-06 13:54:50 UTC
reproduction was a bit complicated. 

for php7* I used:

> echo '<?php echo filter_var("https://example.com:\@test.com/", FILTER_VALIDATE_URL); echo "\n";' | php


For php5* I looked at the code in ext/filter/logical_filters.c
and made the assessment because the code is not to different in the older versions.

@Petr: let me know if you disagree.
Comment 3 Petr Gajdos 2021-07-09 14:39:54 UTC
$ cat test.php
<?php
$urls = array(
    "https://example.com:\\@test.com/",
    "https://user:\\epass@test.com",
    "https://user:\\@test.com",
);
foreach ($urls as $url) {
    var_dump(filter_var($url, FILTER_VALIDATE_URL));
}
?>
$

BEFORE

$ php test.php
string(31) "https://example.com:\@test.com/"
string(28) "https://user:\epass@test.com"
string(23) "https://user:\@test.com"
$


AFTER

$ php test.php
bool(false)
bool(false)
bool(false)
$
Comment 4 Petr Gajdos 2021-07-09 14:44:42 UTC
(In reply to Robert Frohl from comment #2)
> reproduction was a bit complicated. 
> 
> for php7* I used:
> 
> > echo '<?php echo filter_var("https://example.com:\@test.com/", FILTER_VALIDATE_URL); echo "\n";' | php
> 
> 
> For php5* I looked at the code in ext/filter/logical_filters.c
> and made the assessment because the code is not to different in the older
> versions.
> 
> @Petr: let me know if you disagree.

Thanks. Yes, I agree, using also
https://github.com/php/php-src/commit/4a89e726bd4d0571991dc22a9a1ad4509e8fe347
Comment 5 Petr Gajdos 2021-07-09 14:48:14 UTC
Will submit for 15sp2/php7, 15/php7, 12/php74, 12/php72, 11sp3/php53 and 11/php5.
Comment 6 Petr Gajdos 2021-07-09 14:48:42 UTC
I believe all fixed.
Comment 8 Swamp Workflow Management 2021-07-29 16:24:00 UTC
SUSE-SU-2021:2564-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1188037
CVE References: CVE-2021-21705
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.63.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.63.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-07-30 13:16:16 UTC
openSUSE-SU-2021:2575-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1188037
CVE References: CVE-2021-21705
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    php7-7.2.5-4.76.5
Comment 11 Swamp Workflow Management 2021-08-06 13:26:24 UTC
SUSE-SU-2021:2637-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1188035,1188037
CVE References: CVE-2021-21704,CVE-2021-21705
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    php7-7.4.6-3.22.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    php7-7.4.6-3.22.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    php7-7.4.6-3.22.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    php7-7.4.6-3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-08-06 13:27:35 UTC
openSUSE-SU-2021:2637-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1188035,1188037
CVE References: CVE-2021-21704,CVE-2021-21705
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    php7-7.4.6-3.22.1
Comment 13 Swamp Workflow Management 2021-08-06 13:28:51 UTC
SUSE-SU-2021:2636-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1188035,1188037
CVE References: CVE-2021-21704,CVE-2021-21705
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php74-7.4.6-1.24.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php74-7.4.6-1.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-08-10 13:48:46 UTC
openSUSE-SU-2021:1130-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1188035,1188037
CVE References: CVE-2021-21704,CVE-2021-21705
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    php7-7.4.6-lp152.2.18.1, php7-test-7.4.6-lp152.2.18.1