Bug 1499152 (CVE-2017-15047)
Summary: | CVE-2017-15047 redis: Insufficient input validation in the clusterLoadConfig function | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | apevec, chrisw, drusso, fabian.deutsch, hhorak, i, jal233, jjoyce, jmadigan, jorton, jschluet, jshepherd, kbasil, kpiwko, lgriffin, lhh, lpeer, markmc, mburns, nathans, ngough, pbraun, pwright, rbryant, rcollet, rhos-maint, rrajasek, sclewis, slinaber, tdecacqu, trepel, webstack-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:26:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1499153, 1499154 | ||
Bug Blocks: | 1499157 |
Description
Andrej Nemec
2017-10-06 09:28:25 UTC
Created redis tracking bugs for this issue: Affects: epel-all [bug 1499153] Affects: fedora-all [bug 1499154] FWIW, I don't believe this issue is exploitable for default Redis configurations with any Red Hat product or Fedora packages (probably the Severity and Priority of this BZ should be lowered). I've added a note and github pull request fixing the underlying bug, upstream: https://github.com/antirez/redis/pull/4365 https://github.com/antirez/redis/issues/4278#issuecomment-335095580 cheers. Changed impact to low as this requires access to modify redis owned files, with that access there would be better way to exploit the system/service. Changed CVSS score based on impact to availability, low is still generous as with redis user access you could just kill the process anyway. Permissions are validated for all current OpenStack packages. There is no local user access for Redis deployed to RHAMP On-premise. Redis runs in a dedicated container pod with no other shared users. Marking as not affected. |