Bug 1957414 (CVE-2021-29478)
Summary: | CVE-2021-29478 redis: Integer overflow via COPY command for large intsets | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | agerstmayr, apevec, bcoca, chousekn, cmeyers, davidn, fabian.deutsch, fedora, fpercoco, gblomqui, gghezzo, gparvin, jal233, jcammara, jhardy, jjoyce, jobarker, jramanat, jschluet, jweiser, kaycoth, lhh, lpeer, mabashia, mburns, mgoodwin, nathans, notting, osapryki, rcollet, redis-maint, relrod, rpetrell, sclewis, sdoran, slinaber, smcdonal, stcannon, thee, tkuratom, vmugicag |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | redis 6.2.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in redis. An integer overflow bug could be exploited to corrupt the heap and potentially result with remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-06 01:07:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1957416, 1957415, 1957465, 1957720, 1957721, 1957722, 1957723, 1957724, 1957912, 1957915, 1957916 | ||
Bug Blocks: | 1957417 |
Description
Pedro Sampaio
2021-05-05 18:14:39 UTC
Created redis tracking bugs for this issue: Affects: epel-7 [bug 1957416] Affects: fedora-all [bug 1957415] Upstream patches: https://github.com/redis/redis/commit/789f10156009b404950ad717642a9496ed887083 https://github.com/redis/redis/commit/046352069396fe3be0a50ca505cb65af15c0d995 Mitigation: The flaw can be mitigated by disallowing usage of the CONFIG SET command via ACL configuration. This will prevent clients from setting the set-max-intset-entries configuration parameter. Please see https://redis.io/topics/acl for more information on how to do this. AAP 1.2 and Tower are "Not Affected" by this one as the current version of Redis in AAP 1.2 and Tower is 5.0.3 as shown below as well: [root@ip-10-0-10-39 ~]# dnf list installed | grep redis redis.x86_64 5.0.3-2.module+el8.0.0.z+3657+acb471dc @rhel-8-appstream-rhui-rpms Also, the affected functionality i.e. COPY command is Not Explicitly allowed in AAP 1.2 and Tower. In addition to this, for redis, we're just pulling from RHEL packages at this point. Hence, marking this as "Not Affected". Statement: redis:6/redis and redis:5/redis shipped in Red Hat Enterprise Linux 8 are not affected by this flaw as they do not ship vulnerable versions of Redis. The versions of Redis provided by Red Hat OpenStack Platform are not directly affected by this issue. As a result the impact is lowered and no update will be provided at this time. External References: https://github.com/redis/redis/security/advisories/GHSA-qh52-crrg-44g3 Flaw summary: In src/intset.c's intsetBlobLen() routine there is the following line: return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding); If the result of `intrev32ifbe(is->length)*intrev32ifbe(is->encoding)` > UINT32_MAX, then this will cause an unsigned integer wraparound. The incorrect result will then be added to sizeof(intset) and returned. Therefore there will be an incorrect intset blob size. This is a problem because the return value of this function is e.g. used in `intset *newis = zmalloc(size);` to control memory allocation in setTypeDup() of t_set.c. This means the the integer wraparound can lead to incorrect memory allocations, which can subsequently lead to out-of-bounds write and read operations. It can be set by setting the set-max-intset-entries configuration parameter (using CONFIG SET command) to a large number, controlling is->encoding and causing the wraparound to occur. This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29478 |