Bug 1985476 (CVE-2021-32761)

Summary: CVE-2021-32761 redis: integer overflow issues with BITFIELD command on 32-bit systems
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, apevec, bcoca, caswilli, chousekn, cmeyers, davidn, dbecker, fabian.deutsch, fedora, fpercoco, gblomqui, gghezzo, gparvin, jal233, jcammara, jhardy, jjoyce, jobarker, jramanat, jschluet, kaycoth, lhh, lpeer, mabashia, mburns, mgoodwin, nathans, notting, osapryki, rcollet, redis-maint, relrod, rhos-maint, rpetrell, sclewis, sdoran, slinaber, smcdonal, stcannon, tkuratom, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Redis 5.0.13, Redis 6.0.15, Redis 6.2.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Redis. Issuing the BITFIELD command on a 32-bit version of Redis may result in an integer wrap around allowing an attacker to crash the service or perform remote code execution. The highest threat from this vulnerability is to the data confidentiality, integrity, and service availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-05 19:07:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1985477, 1985478    
Bug Blocks: 1985479    

Description Guilherme de Almeida Suckevicz 2021-07-23 16:38:21 UTC 
Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

Reference:
https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj
Comment 1 Guilherme de Almeida Suckevicz 2021-07-23 16:38:50 UTC 
Created redis tracking bugs for this issue:

Affects: epel-7 [bug 1985478]
Affects: fedora-all [bug 1985477]
Comment 2 Jan Werner 2021-07-23 19:57:48 UTC 
RHACM ships only 64 bit containers. Marking RHACM as NOTAFFECTED.
Comment 3 Tapas Jena 2021-07-27 11:20:37 UTC 
Analysis is complete for Ansible components. As a result, it was found that the affected versions of Redis are not in use in any components of Ansible. The current Redis version for Ansible is redis-0:5.0.3-2.module+el8.0.0.z+3657+acb471dc.x86_64 where the patch is already available for this CVE/Vulnerability.

Hence, marking Ansible components as "Not Affected" by this vulnerability.
Comment 4 Charles Timko 2021-07-28 20:38:01 UTC 
Pull request with patch and discussion at https://github.com/redis/redis/pull/9191
Comment 5 Product Security DevOps Team 2021-08-05 19:07:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32761