Bug 1594291 (CVE-2018-12326)

Summary: CVE-2018-12326 redis: Code execution in redis-cli via crafted command line arguments
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, chrisw, cmacedo, dffrench, drusso, fabian.deutsch, hhorak, jal233, jjoyce, jmadigan, jorton, jschluet, jshepherd, kbasil, lgriffin, lhh, lpeer, markmc, mburns, nathans, ngough, pwright, rcollet, rhos-maint, sclewis, sisharma, slinaber, tdecacqu, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: redis 5.0-rc2, redis 4.0.10, redis 3.2.12 Doc Type: If docs needed, set a value
Doc Text:
The Redis command line tool 'redis-cli' is vulnerable to a buffer overflow through the -h (host) command line parameter. The redis-cli may be used by other services; if these services do not adequately filter the host input it could lead to code execution with the privilege level of that service.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:29:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1594294, 1595070, 1595071, 1595072, 1595073, 1595074, 1595075, 1595076, 1595077, 1595078, 1596254    
Bug Blocks: 1594295    

Description Laura Pardo 2018-06-22 14:34:03 UTC
A flaw was found in Redis before 4.0.10 and 5.x before 5.0 RC2. A buffer overflow in redis-cli allows an attacker to achieve code execution and escalate to higher privileges via a crafted command line.


References:
https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES 	
https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
https://gist.github.com/fakhrizulkifli/f831f40ec6cde4f744c552503d8698f0 	 	
https://www.exploit-db.com/exploits/44904/ 	

Patch:
https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50

Comment 1 Laura Pardo 2018-06-22 14:34:52 UTC
Created redis tracking bugs for this issue:

Affects: epel-all [bug 1594294]

Comment 2 Joshua Padman 2018-06-26 03:45:10 UTC
The Redis command line tool "redis-cli" is vulnerable to a buffer overflow through the -h (host) command line parameter. If using redis-cli directly this could cause a self DoS or code execution with the same privilege level the command was executed with. This is unlikely to impact the security of the system as the attacker would already require access.
It is possible that products are built to call redis-cli and may allow an attacker with access to the layered product to gain command execution on the underlying system. This would require the unfiltered host parameter to be passed from the layered product to redis-cli

Specific to OpenStack:
The default key-value data store in OpenStack is memcached. Regardless, none of the components that are included with Red Hat OpenStack make calls to redis-cli in a way that would allow the host value to be manipulated.

Comment 7 errata-xmlrpc 2019-01-16 17:11:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0052 https://access.redhat.com/errata/RHSA-2019:0052

Comment 8 errata-xmlrpc 2019-01-16 17:57:31 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0094 https://access.redhat.com/errata/RHSA-2019:0094

Comment 12 errata-xmlrpc 2019-07-25 16:08:17 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:1860 https://access.redhat.com/errata/RHSA-2019:1860