Red Hat Bugzilla – Bug 1515245
CVE-2016-10517 redis: cross-protocol attack using malicious HTTP request
Last modified: 2018-02-12 04:14:24 EST
networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port). Upstream patch: https://github.com/antirez/redis/commit/874804da0c014a7d704b3d285aa500098a931f50 References: https://github.com/antirez/redis/blob/3.2.7/00-RELEASENOTES
OSP11 is shipping 3.2.8 which contains the fix, validated against source package.
Cross Protocol Scripting attacks, as described below, rely on a proxy, such as a web browser, to relay request to the target (Redis). In addition to a proxy some way of relaying to the response to the attacker is also required. http://bouk.co/blog/hacking-developers/ I don't see how either of these 2 requirements could be met in an environment where Redis is running as a service in Openshift. Since RHMAP deploys Redis in this way, I'm marking RHMAP as unaffected.
Cross protocol scripting requires a vulnerable machine with access to proxy requests, to receive the response a further attack, such as DNS rebind is required. The way that redis is used within OpenStack means that it is not being used by developers or user machines. It is used in the backend primarily, through the management network, for token caching etc. To exploit redis in its configuration inside OpenStack, using this vector, would be very very unlikely, especially within a properly designed network.
Mitigation: This issue can be mitigated by configuring Redis to require clients to authenticate with password. Password authentication can be enabled using the 'requirepass' directive in the redis.conf configuration file.