Bug 1594291 (CVE-2018-12326) - CVE-2018-12326 redis: Code execution in redis-cli via crafted command line arguments
Summary: CVE-2018-12326 redis: Code execution in redis-cli via crafted command line ar...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-12326
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1594294 1595070 1595071 1595072 1595073 1595074 1595075 1595076 1595077 1595078 1596254
Blocks: 1594295
TreeView+ depends on / blocked
 
Reported: 2018-06-22 14:34 UTC by Laura Pardo
Modified: 2019-09-29 14:42 UTC (History)
29 users (show)

Fixed In Version: redis 5.0-rc2, redis 4.0.10, redis 3.2.12
Doc Type: If docs needed, set a value
Doc Text:
The Redis command line tool 'redis-cli' is vulnerable to a buffer overflow through the -h (host) command line parameter. The redis-cli may be used by other services; if these services do not adequately filter the host input it could lead to code execution with the privilege level of that service.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:29:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0052 None None None 2019-01-16 17:11:42 UTC
Red Hat Product Errata RHSA-2019:0094 None None None 2019-01-16 17:57:34 UTC
Red Hat Product Errata RHSA-2019:1860 None None None 2019-07-25 16:08:18 UTC

Description Laura Pardo 2018-06-22 14:34:03 UTC
A flaw was found in Redis before 4.0.10 and 5.x before 5.0 RC2. A buffer overflow in redis-cli allows an attacker to achieve code execution and escalate to higher privileges via a crafted command line.


References:
https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES 	
https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
https://gist.github.com/fakhrizulkifli/f831f40ec6cde4f744c552503d8698f0 	 	
https://www.exploit-db.com/exploits/44904/ 	

Patch:
https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50

Comment 1 Laura Pardo 2018-06-22 14:34:52 UTC
Created redis tracking bugs for this issue:

Affects: epel-all [bug 1594294]

Comment 2 Joshua Padman 2018-06-26 03:45:10 UTC
The Redis command line tool "redis-cli" is vulnerable to a buffer overflow through the -h (host) command line parameter. If using redis-cli directly this could cause a self DoS or code execution with the same privilege level the command was executed with. This is unlikely to impact the security of the system as the attacker would already require access.
It is possible that products are built to call redis-cli and may allow an attacker with access to the layered product to gain command execution on the underlying system. This would require the unfiltered host parameter to be passed from the layered product to redis-cli

Specific to OpenStack:
The default key-value data store in OpenStack is memcached. Regardless, none of the components that are included with Red Hat OpenStack make calls to redis-cli in a way that would allow the host value to be manipulated.

Comment 7 errata-xmlrpc 2019-01-16 17:11:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0052 https://access.redhat.com/errata/RHSA-2019:0052

Comment 8 errata-xmlrpc 2019-01-16 17:57:31 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0094 https://access.redhat.com/errata/RHSA-2019:0094

Comment 12 errata-xmlrpc 2019-07-25 16:08:17 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:1860 https://access.redhat.com/errata/RHSA-2019:1860


Note You need to log in before you can comment on or make changes to this bug.