Bug 1723918 (CVE-2019-10192)

Summary: CVE-2019-10192 redis: Heap buffer overflow in HyperLogLog triggered by malicious client
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, dbecker, fabian.deutsch, fpercoco, hchiramm, hhorak, jal233, jjoyce, jmulligan, jorton, jpadman, jschluet, kbasil, kramdoss, lberk, lhh, lpeer, madam, mburns, mgoodwin, mmagr, nathans, rcollet, redis-maint, rhos-maint, rhs-bugs, sankarshan, sclewis, security-response-team, sisharma, slinaber, slong, ssaha, storage-qa-internal, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Redis 3.2.13, Redis 4.0.14, Redis 5.0.4 Doc Type: If docs needed, set a value
Doc Text:
A heap buffer overflow vulnerability was found in the Redis HyperLogLog data structure. By carefully corrupting a HyperLogLog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding into writing up to 3 bytes beyond the end of a heap-allocated buffer.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-22 15:07:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1727720, 1728925, 1728927, 1727710, 1727711, 1727712, 1727713, 1727714, 1728468, 1728469, 1728918, 1728924, 1728926, 1728928, 1728929    
Bug Blocks: 1719403    

Description Pedro Sampaio 2019-06-25 18:08:35 UTC
Heap buffer overflow with corrupted hyperloglog data structure. By carefully corrupting a hyperloglog structure in redis using the SETRANGE command, an attacker could trick redis' interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer.

Upstream patches: 
https://github.com/antirez/redis/commit/e216ceaf0e099536fe3658a29dcb725d812364e0
https://github.com/antirez/redis/commit/9f13b2bd4967334b1701c6eccdf53760cb13f79e

Comment 6 Summer Long 2019-07-07 23:51:20 UTC
Heap buffer overflow with corrupted hyperloglog data structure. By carefully corrupting a hyperloglog structure in redis using the SETRANGE command, an attacker could trick redis' interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer.

Upstream patches: 
https://github.com/antirez/redis/commit/e216ceaf0e099536fe3658a29dcb725d812364e0
https://github.com/antirez/redis/commit/9f13b2bd4967334b1701c6eccdf53760cb13f79e

Comment 9 Summer Long 2019-07-08 04:25:51 UTC
Created redis tracking bugs for this issue:

Affects: openstack-rdo [bug 1727720]

Comment 10 Summer Long 2019-07-10 00:20:58 UTC
Upstream timeline: https://github.com/antirez/redis/issues/6215

Comment 17 Hardik Vyas 2019-07-11 13:41:37 UTC
Statement:

* This issue did not affect the version of grafana(embeds redis) as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 as it only ships client side part of redis implementation.
* This issue did not affect the version of heketi(embeds redis) as shipped with Red Hat Gluster Storage 3 as it only ships client side part of redis implementation.

Comment 18 errata-xmlrpc 2019-07-22 13:34:23 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1819 https://access.redhat.com/errata/RHSA-2019:1819

Comment 19 Product Security DevOps Team 2019-07-22 15:07:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10192

Comment 20 errata-xmlrpc 2019-07-25 16:08:21 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:1860 https://access.redhat.com/errata/RHSA-2019:1860

Comment 21 errata-xmlrpc 2019-08-07 10:52:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2002 https://access.redhat.com/errata/RHSA-2019:2002

Comment 22 errata-xmlrpc 2019-08-15 14:06:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 Operational Tools for RHEL 7

Via RHSA-2019:2506 https://access.redhat.com/errata/RHSA-2019:2506

Comment 23 errata-xmlrpc 2019-08-15 14:08:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2019:2508 https://access.redhat.com/errata/RHSA-2019:2508

Comment 25 errata-xmlrpc 2019-09-03 15:34:20 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:2621 https://access.redhat.com/errata/RHSA-2019:2621

Comment 26 errata-xmlrpc 2019-09-03 16:35:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:2630 https://access.redhat.com/errata/RHSA-2019:2630

Comment 27 errata-xmlrpc 2019-09-03 16:53:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:2628 https://access.redhat.com/errata/RHSA-2019:2628