Bug 1957410 (CVE-2021-29477)

Summary: CVE-2021-29477 redis: Integer overflow via STRALGO LCS command
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agerstmayr, apevec, bcoca, chousekn, cmeyers, davidn, dbecker, fabian.deutsch, fedora, fpercoco, gblomqui, gghezzo, gparvin, jal233, jcammara, jhardy, jjoyce, jobarker, jramanat, jschluet, jweiser, kaycoth, lhh, lpeer, mabashia, mburns, mgoodwin, nathans, notting, osapryki, rcollet, redis-maint, relrod, rhos-maint, rpetrell, sclewis, sdoran, slinaber, smcdonal, stcannon, thee, tkuratom, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: redis 6.2.3, redis 6.0.13 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in redis. An integer overflow bug could be exploited to corrupt the heap and potentially result with remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-19 14:33:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1957411, 1957412, 1957466, 1957694, 1957695, 1957696, 1957697, 1957698, 1957917, 1957918, 1957919, 1957920, 1957921, 1957922    
Bug Blocks: 1957417    

Description Pedro Sampaio 2021-05-05 18:11:16 UTC 
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.

References:

https://redis.io/
https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g
Comment 1 Pedro Sampaio 2021-05-05 18:12:00 UTC 
Created redis tracking bugs for this issue:

Affects: epel-7 [bug 1957412]
Affects: fedora-all [bug 1957411]
Comment 4 Todd Cullum 2021-05-06 18:34:50 UTC 
Upstream patches:
https://github.com/redis/redis/commit/92e3b1802f72ca0c5b0bde97f01d9b57a758d85c
https://github.com/redis/redis/commit/394614a5f91d88380f480c4610926a865b5b0f16
Comment 5 Todd Cullum 2021-05-06 18:41:06 UTC 
Statement:

redis:5/redis as shipped in Red Hat Enterprise Linux 8 is not affected by this flaw because it does not ship a vulnerable version of Redis.
Comment 8 Todd Cullum 2021-05-06 23:11:42 UTC 
Flaw summary:

The line `uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));` in stralgoLCS() from  src/t_string.c allows for an unsigned integer wraparound to occur if (alen+1)*(blen+1)*sizeof(uint32_t) > UINT32_MAX. This could result in under allocation of memory for lcs, which subsequently allows for out-of-bounds writes and reads to occur when the memory is accessed in the loop below. This is a problem because alen and blen are obtained from a and b, which are in turn obtained from the client.
Comment 9 Todd Cullum 2021-05-06 23:15:35 UTC 
Mitigation:

The flaw can be mitigated by disallowing usage of the STRALGO LCS command via ACL configuration. Please see https://redis.io/topics/acl for more information on how to do this.
Comment 10 Tapas Jena 2021-05-07 14:09:00 UTC 
AAP 1.2 and Tower are "Not Affected" by this one as the current version of Redis in AAP 1.2 and Tower is 5.0.3 as shown below as well:

[root@ip-10-0-10-39 ~]# dnf list installed | grep redis
redis.x86_64                                  5.0.3-2.module+el8.0.0.z+3657+acb471dc     @rhel-8-appstream-rhui-rpms

Also, the affected functionality i.e. STRALGO LCS command is Not in Use anywhere in AAP 1.2 and Tower. In addition to this, for redis, we're just pulling from RHEL packages at this point.

Hence, marking this as "Not Affected".
Comment 11 Todd Cullum 2021-05-07 18:11:23 UTC 
External References:

https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g
Comment 12 errata-xmlrpc 2021-05-19 10:14:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2034 https://access.redhat.com/errata/RHSA-2021:2034
Comment 13 Product Security DevOps Team 2021-05-19 14:33:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29477
Comment 14 errata-xmlrpc 2021-08-06 00:51:16 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016