Summary: | CVE-2021-32761 redis: integer overflow issues with BITFIELD command on 32-bit systems | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | agerstmayr, apevec, bcoca, caswilli, chousekn, cmeyers, davidn, dbecker, fabian.deutsch, fedora, fpercoco, gblomqui, gghezzo, gparvin, jal233, jcammara, jhardy, jjoyce, jobarker, jramanat, jschluet, kaycoth, lhh, lpeer, mabashia, mburns, mgoodwin, nathans, notting, osapryki, rcollet, redis-maint, relrod, rhos-maint, rpetrell, sclewis, sdoran, slinaber, smcdonal, stcannon, tkuratom, vmugicag |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Redis 5.0.13, Redis 6.0.15, Redis 6.2.5 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Redis. Issuing the BITFIELD command on a 32-bit version of Redis may result in an integer wrap around allowing an attacker to crash the service or perform remote code execution. The highest threat from this vulnerability is to the data confidentiality, integrity, and service availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-05 19:07:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Bug Depends On: | 1985477, 1985478 | ||
Bug Blocks: | 1985479 |
Description
Guilherme de Almeida Suckevicz
2021-07-23 16:38:21 UTC
Created redis tracking bugs for this issue: Affects: epel-7 [bug 1985478] Affects: fedora-all [bug 1985477] RHACM ships only 64 bit containers. Marking RHACM as NOTAFFECTED. Analysis is complete for Ansible components. As a result, it was found that the affected versions of Redis are not in use in any components of Ansible. The current Redis version for Ansible is redis-0:5.0.3-2.module+el8.0.0.z+3657+acb471dc.x86_64 where the patch is already available for this CVE/Vulnerability. Hence, marking Ansible components as "Not Affected" by this vulnerability. Pull request with patch and discussion at https://github.com/redis/redis/pull/9191 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-32761 |