CVE-2021-21702 Overview
CVE-2021-21702 is a null pointer dereference vulnerability affecting PHP's SOAP extension that can be exploited to cause a denial of service condition. When a PHP application uses the SOAP extension to connect to a SOAP server, a malicious server can return specially crafted malformed XML data as a response. This malformed response causes PHP to access a null pointer, resulting in an application crash.
This vulnerability poses a significant risk to web applications and services that rely on PHP's SOAP extension for communication with external SOAP-based web services. An attacker controlling or impersonating a SOAP server could systematically crash PHP processes, disrupting service availability.
Critical Impact
Malicious SOAP servers can crash PHP applications by returning malformed XML responses, causing denial of service through null pointer dereference.
Affected Products
- PHP versions 7.3.x below 7.3.27
- PHP versions 7.4.x below 7.4.15
- PHP versions 8.0.x below 8.0.2
- Debian Linux 9.0 and 10.0
- NetApp Clustered Data ONTAP
- Oracle Communications Diameter Signaling Router
Discovery Timeline
- 2021-02-15 - CVE-2021-21702 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21702
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference). The flaw exists in PHP's SOAP extension, which is used to enable PHP applications to communicate with SOAP-based web services. When processing XML responses from SOAP servers, the extension fails to properly validate the response data before dereferencing memory pointers.
The vulnerability occurs during the parsing phase of SOAP responses. When a malicious SOAP server returns intentionally malformed XML data, the PHP SOAP extension's parser fails to handle the unexpected data structure gracefully. Instead of returning an error or handling the malformed data appropriately, the code attempts to dereference a null pointer, leading to an immediate crash of the PHP process.
Root Cause
The root cause of CVE-2021-21702 lies in insufficient validation of XML response data within the PHP SOAP extension. The code path responsible for parsing SOAP responses does not adequately check for null values before attempting to access memory locations. This missing validation allows malformed XML structures to trigger null pointer access, which the operating system handles as a segmentation fault, terminating the process.
The vulnerability specifically manifests when the SOAP response contains XML structures that the parser does not anticipate, causing internal data structures to remain uninitialized (null) when the code subsequently attempts to use them.
Attack Vector
The attack vector for this vulnerability requires network access. An attacker must be able to respond to SOAP requests made by the vulnerable PHP application. This can be achieved through several scenarios:
- Malicious SOAP Server: An attacker hosts a malicious SOAP service that the target application is configured to communicate with
- Man-in-the-Middle: An attacker intercepts legitimate SOAP traffic and injects malformed responses
- Compromised Service: An attacker compromises a legitimate SOAP service that the target application trusts
The exploitation requires no authentication and no user interaction. The vulnerability affects the availability of the application by causing crashes but does not directly impact confidentiality or integrity.
The attack involves the malicious SOAP server crafting an XML response with structural anomalies that cause PHP's SOAP extension to encounter null pointer conditions during parsing. For detailed technical analysis of the malformed XML structures that trigger this vulnerability, refer to the PHP Bug Report #80672.
Detection Methods for CVE-2021-21702
Indicators of Compromise
- Unexpected PHP process crashes or segmentation faults when communicating with external SOAP services
- Repeated service restarts or process respawns for PHP-FPM or Apache mod_php workers
- Error logs containing null pointer dereference or segmentation fault messages correlated with SOAP operations
- Unusual traffic patterns from SOAP endpoints returning malformed or suspicious XML responses
Detection Strategies
- Monitor PHP error logs for segmentation fault errors, particularly those occurring during SOAP operations
- Implement application-level monitoring to detect abnormal crash rates in PHP processes
- Use network traffic analysis to identify malformed XML responses from SOAP servers
- Deploy intrusion detection rules to identify anomalous SOAP response patterns
Monitoring Recommendations
- Configure centralized logging for all PHP error output and crash dumps
- Set up alerting thresholds for PHP process crash frequency to detect active exploitation attempts
- Monitor SOAP endpoint connectivity and response validity as part of application health checks
- Implement circuit breaker patterns in application code to limit impact of repeated crashes
How to Mitigate CVE-2021-21702
Immediate Actions Required
- Upgrade PHP to patched versions: 7.3.27 or later, 7.4.15 or later, or 8.0.2 or later
- Review all applications using PHP's SOAP extension and prioritize updates for internet-facing services
- Implement input validation and response verification for SOAP communications where possible
- Consider temporarily disabling SOAP functionality for non-critical services until patches are applied
Patch Information
Security patches addressing this vulnerability have been released by PHP and various Linux distributions. The following resources provide official patch information:
- PHP Bug Report #80672 - Original bug report and fix details
- Debian DSA-4856 Security Notice - Debian security advisory
- Debian LTS Announcement - Debian LTS patch information
- Gentoo GLSA 2021-05-23 - Gentoo Linux advisory
- NetApp Security Advisory NTAP-20210312-0005 - NetApp advisory
- Oracle CPU October 2021 Alert - Oracle patch information
- Tenable Security Notice TNS-2021-14 - Tenable advisory
Workarounds
- Restrict network access to only trusted SOAP servers by implementing firewall rules or network segmentation
- Implement application-level validation of SOAP responses before passing to PHP's SOAP extension
- Use process supervision to automatically restart crashed PHP processes and minimize service disruption
- Consider using alternative SOAP client implementations or REST-based APIs where feasible
# Check current PHP version for vulnerability
php -v | head -1
# Example: Upgrade PHP on Debian/Ubuntu systems
sudo apt update
sudo apt install php7.4 # or php8.0 for 8.x series
# Verify upgrade was successful
php -v | head -1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
