Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
Created redis tracking bugs for this issue:
Affects: epel-7 [bug 1985478]
Affects: fedora-all [bug 1985477]
RHACM ships only 64 bit containers. Marking RHACM as NOTAFFECTED.
Analysis is complete for Ansible components. As a result, it was found that the affected versions of Redis are not in use in any components of Ansible. The current Redis version for Ansible is redis-0:5.0.3-2.module+el8.0.0.z+3657+acb471dc.x86_64 where the patch is already available for this CVE/Vulnerability.
Hence, marking Ansible components as "Not Affected" by this vulnerability.
Pull request with patch and discussion at https://github.com/redis/redis/pull/9191
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):