Bug 1723918 (CVE-2019-10192)
| Summary: | CVE-2019-10192 redis: Heap buffer overflow in HyperLogLog triggered by malicious client | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | apevec, dbecker, fabian.deutsch, fpercoco, hchiramm, hhorak, jal233, jjoyce, jmulligan, jorton, jpadman, jschluet, kbasil, kramdoss, lberk, lhh, lpeer, madam, mburns, mgoodwin, mmagr, nathans, rcollet, redis-maint, rhos-maint, rhs-bugs, sankarshan, sclewis, security-response-team, sisharma, slinaber, slong, ssaha, storage-qa-internal, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Redis 3.2.13, Redis 4.0.14, Redis 5.0.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A heap buffer overflow vulnerability was found in the Redis HyperLogLog data structure. By carefully corrupting a HyperLogLog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding into writing up to 3 bytes beyond the end of a heap-allocated buffer.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-22 15:07:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1727710, 1727711, 1727712, 1727713, 1727714, 1727720, 1728468, 1728469, 1728918, 1728924, 1728925, 1728926, 1728927, 1728928, 1728929 | ||
| Bug Blocks: | 1719403 | ||
|
Description
Pedro Sampaio
2019-06-25 18:08:35 UTC
Heap buffer overflow with corrupted hyperloglog data structure. By carefully corrupting a hyperloglog structure in redis using the SETRANGE command, an attacker could trick redis' interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer. Upstream patches: https://github.com/antirez/redis/commit/e216ceaf0e099536fe3658a29dcb725d812364e0 https://github.com/antirez/redis/commit/9f13b2bd4967334b1701c6eccdf53760cb13f79e Created redis tracking bugs for this issue: Affects: openstack-rdo [bug 1727720] Upstream timeline: https://github.com/antirez/redis/issues/6215 External References: https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES Statement: * This issue did not affect the version of grafana(embeds redis) as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 as it only ships client side part of redis implementation. * This issue did not affect the version of heketi(embeds redis) as shipped with Red Hat Gluster Storage 3 as it only ships client side part of redis implementation. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1819 https://access.redhat.com/errata/RHSA-2019:1819 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10192 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:1860 https://access.redhat.com/errata/RHSA-2019:1860 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2002 https://access.redhat.com/errata/RHSA-2019:2002 This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 Operational Tools for RHEL 7 Via RHSA-2019:2506 https://access.redhat.com/errata/RHSA-2019:2506 This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2019:2508 https://access.redhat.com/errata/RHSA-2019:2508 This issue has been addressed in the following products: Red Hat OpenStack Platform 14.0 (Rocky) Via RHSA-2019:2621 https://access.redhat.com/errata/RHSA-2019:2621 This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2019:2630 https://access.redhat.com/errata/RHSA-2019:2630 This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2019:2628 https://access.redhat.com/errata/RHSA-2019:2628 |