Bug 1957414 (CVE-2021-29478)

Summary: CVE-2021-29478 redis: Integer overflow via COPY command for large intsets
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agerstmayr, apevec, bcoca, chousekn, cmeyers, davidn, fabian.deutsch, fedora, fpercoco, gblomqui, gghezzo, gparvin, jal233, jcammara, jhardy, jjoyce, jobarker, jramanat, jschluet, jweiser, kaycoth, lhh, lpeer, mabashia, mburns, mgoodwin, nathans, notting, osapryki, rcollet, redis-maint, relrod, rpetrell, sclewis, sdoran, slinaber, smcdonal, stcannon, thee, tkuratom, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: redis 6.2.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in redis. An integer overflow bug could be exploited to corrupt the heap and potentially result with remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-06 01:07:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1957416, 1957415, 1957465, 1957720, 1957721, 1957722, 1957723, 1957724, 1957912, 1957915, 1957916    
Bug Blocks: 1957417    

Description Pedro Sampaio 2021-05-05 18:14:39 UTC 
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution. Redis 6.0 and earlier are not directly affected by this issue. The problem is fixed in version 6.2.3. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `set-max-intset-entries` configuration parameter. This can be done using ACL to restrict unprivileged users from using the `CONFIG SET` command.

References:

https://github.com/redis/redis/security/advisories/GHSA-qh52-crrg-44g3
https://redis.io/
Comment 1 Pedro Sampaio 2021-05-05 18:15:29 UTC 
Created redis tracking bugs for this issue:

Affects: epel-7 [bug 1957416]
Affects: fedora-all [bug 1957415]
Comment 4 Todd Cullum 2021-05-06 18:37:28 UTC 
Upstream patches:
https://github.com/redis/redis/commit/789f10156009b404950ad717642a9496ed887083
https://github.com/redis/redis/commit/046352069396fe3be0a50ca505cb65af15c0d995
Comment 9 Todd Cullum 2021-05-06 23:27:44 UTC 
Mitigation:

The flaw can be mitigated by disallowing usage of the CONFIG SET command via ACL configuration. This will prevent clients from setting the set-max-intset-entries configuration parameter. Please see https://redis.io/topics/acl for more information on how to do this.
Comment 10 Tapas Jena 2021-05-07 14:11:32 UTC 
AAP 1.2 and Tower are "Not Affected" by this one as the current version of Redis in AAP 1.2 and Tower is 5.0.3 as shown below as well:

[root@ip-10-0-10-39 ~]# dnf list installed | grep redis
redis.x86_64                                  5.0.3-2.module+el8.0.0.z+3657+acb471dc     @rhel-8-appstream-rhui-rpms

Also, the affected functionality i.e. COPY command is Not Explicitly allowed in AAP 1.2 and Tower. In addition to this, for redis, we're just pulling from RHEL packages at this point.

Hence, marking this as "Not Affected".
Comment 11 Nick Tait 2021-05-07 16:06:50 UTC 
Statement:

redis:6/redis and redis:5/redis shipped in Red Hat Enterprise Linux 8 are not affected by this flaw as they do not ship vulnerable versions of Redis.

The versions of Redis provided by Red Hat OpenStack Platform are not directly affected by this issue. As a result the impact is lowered and no update will be provided at this time.
Comment 12 Todd Cullum 2021-05-07 18:12:03 UTC 
External References:

https://github.com/redis/redis/security/advisories/GHSA-qh52-crrg-44g3
Comment 13 Todd Cullum 2021-05-10 20:04:08 UTC 
Flaw summary:

In src/intset.c's intsetBlobLen() routine there is the following line:

return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding);

If the result of `intrev32ifbe(is->length)*intrev32ifbe(is->encoding)` > UINT32_MAX, then this will cause an unsigned integer wraparound. The incorrect result will then be added to sizeof(intset) and returned. Therefore there will be an incorrect intset blob size. This is a problem because the return value of this function is e.g. used in `intset *newis = zmalloc(size);` to control memory allocation in setTypeDup() of t_set.c. This means the the integer wraparound can lead to incorrect memory allocations, which can subsequently lead to out-of-bounds write and read operations. It can be set by setting the set-max-intset-entries configuration parameter (using CONFIG SET command) to a large number, controlling is->encoding and causing the wraparound to occur.
Comment 22 errata-xmlrpc 2021-08-06 00:51:22 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 23 Product Security DevOps Team 2021-08-06 01:07:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29478