Bug 2010988 (CVE-2021-32762) - CVE-2021-32762 redis: Integer overflow in redis-cli, redis-sentinel on some platforms
Summary: CVE-2021-32762 redis: Integer overflow in redis-cli, redis-sentinel on some p...
Keywords:
Status: NEW
Alias: CVE-2021-32762
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2012208 2011189 2012207 2012927 2015849 2015850
Blocks: 2011061
TreeView+ depends on / blocked
 
Reported: 2021-10-05 17:55 UTC by Pedro Sampaio
Modified: 2023-10-25 17:21 UTC (History)
44 users (show)

Fixed In Version: redis 6.2.6, redis 6.0.16, redis 5.0.14
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow issue leading to heap buffer overflow was found in the `hiredis` library. The "redis-cli" command-line tool and "redis-sentinel" service may be vulnerable to this flaw when parsing specially crafted, large multi-bulk network replies. This flaw allows a remote attacker to corrupt the heap and potentially trigger remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-10-05 17:55:07 UTC
Redis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not perform an overflow check before calling the calloc() heap allocation function. This issue only impacts systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14.

References:

https://github.com/redis/redis/security/advisories/GHSA-833w-8v3m-8wwr
https://github.com/redis/redis/commit/0215324a66af949be39b34be2d55143232c1cb71

Comment 4 Mauro Matteo Cascella 2021-10-08 14:59:30 UTC
Created redis tracking bugs for this issue:

Affects: epel-7 [bug 2012208]
Affects: fedora-all [bug 2012207]

Comment 13 Tapas Jena 2022-01-11 12:43:19 UTC
The analysis for Ansible components i.e. AAP 1.2 need to be rectified here. Ansible doesn't consume REDIS directly i.e. Its not a direct dependency for AAP 1.2. It consumes Redis from underlying platform i.e. RHEL. Since, RHEL 8 is not affected by this vulnerability, marking AAP 1.2 as "Not Affected" as well.


Note You need to log in before you can comment on or make changes to this bug.