Bug 1985476 (CVE-2021-32761) - CVE-2021-32761 redis: integer overflow issues with BITFIELD command on 32-bit systems
Summary: CVE-2021-32761 redis: integer overflow issues with BITFIELD command on 32-bit...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-32761
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1985477 1985478
Blocks: 1985479
TreeView+ depends on / blocked
 
Reported: 2021-07-23 16:38 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-08-05 19:07 UTC (History)
42 users (show)

Fixed In Version: Redis 5.0.13, Redis 6.0.15, Redis 6.2.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Redis. Issuing the BITFIELD command on a 32-bit version of Redis may result in an integer wrap around allowing an attacker to crash the service or perform remote code execution. The highest threat from this vulnerability is to the data confidentiality, integrity, and service availability.
Clone Of:
Environment:
Last Closed: 2021-08-05 19:07:14 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-07-23 16:38:21 UTC
Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

Reference:
https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj

Comment 1 Guilherme de Almeida Suckevicz 2021-07-23 16:38:50 UTC
Created redis tracking bugs for this issue:

Affects: epel-7 [bug 1985478]
Affects: fedora-all [bug 1985477]

Comment 2 Jan Werner 2021-07-23 19:57:48 UTC
RHACM ships only 64 bit containers. Marking RHACM as NOTAFFECTED.

Comment 3 Tapas Jena 2021-07-27 11:20:37 UTC
Analysis is complete for Ansible components. As a result, it was found that the affected versions of Redis are not in use in any components of Ansible. The current Redis version for Ansible is redis-0:5.0.3-2.module+el8.0.0.z+3657+acb471dc.x86_64 where the patch is already available for this CVE/Vulnerability.

Hence, marking Ansible components as "Not Affected" by this vulnerability.

Comment 4 Charles Timko 2021-07-28 20:38:01 UTC
Pull request with patch and discussion at https://github.com/redis/redis/pull/9191

Comment 5 Product Security DevOps Team 2021-08-05 19:07:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32761


Note You need to log in before you can comment on or make changes to this bug.