Bug 1499152 (CVE-2017-15047)

Summary: CVE-2017-15047 redis: Insufficient input validation in the clusterLoadConfig function
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, chrisw, drusso, fabian.deutsch, hhorak, i, jal233, jjoyce, jmadigan, jorton, jschluet, jshepherd, kbasil, kpiwko, lgriffin, lhh, lpeer, markmc, mburns, nathans, ngough, pbraun, pwright, rbryant, rcollet, rhos-maint, rrajasek, sclewis, slinaber, tdecacqu, trepel, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:26:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1499153, 1499154    
Bug Blocks: 1499157    

Description Andrej Nemec 2017-10-06 09:28:25 UTC 
The clusterLoadConfig function in cluster.c in Redis allows local attackers to cause a denial of service (out-of-bounds array index and application crash) or possibly have unspecified other impact by leveraging "limited access to the machine."

Upstream issue:

https://github.com/antirez/redis/issues/4278
Comment 1 Andrej Nemec 2017-10-06 09:29:36 UTC 
Created redis tracking bugs for this issue:

Affects: epel-all [bug 1499153]
Affects: fedora-all [bug 1499154]
Comment 2 Nathan Scott 2017-10-11 05:24:21 UTC 
FWIW, I don't believe this issue is exploitable for default Redis configurations with any Red Hat product or Fedora packages  (probably the Severity and Priority of this BZ should be lowered).

I've added a note and github pull request fixing the underlying bug, upstream:
https://github.com/antirez/redis/pull/4365
https://github.com/antirez/redis/issues/4278#issuecomment-335095580

cheers.
Comment 3 Joshua Padman 2017-10-12 22:51:40 UTC 
Changed impact to low as this requires access to modify redis owned files, with that access there would be better way to exploit the system/service. 
Changed CVSS score based on impact to availability, low is still generous as with redis user access you could just kill the process anyway.

Permissions are validated for all current OpenStack packages.
Comment 4 Jason Shepherd 2017-11-17 00:07:51 UTC 
There is no local user access for Redis deployed to RHAMP On-premise. Redis runs in a dedicated container pod with no other shared users. Marking as not affected.