1932634 – (CVE-2021-21309) CVE-2021-21309 redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms

Bug 1932634 (CVE-2021-21309) - CVE-2021-21309 redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms

Summary: CVE-2021-21309 redis: integer overflow when configurable limit for maximum su...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-21309
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1932636 1932635 1936438 1936648
Blocks:	1932637
TreeView+	depends on / blocked

Reported:	2021-02-24 19:55 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-08-06 00:50 UTC (History)
CC List:	43 users (show)
Fixed In Version:	redis 5.0.11, redis 6.0.11, redis 6.2
Doc Type:	If docs needed, set a value
Doc Text:	An integer overflow was found in Redis. Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. The default size is 512MB which is a safe value for all platforms. Authenticated Redis users could increase the bulk input size by changing the "proto-max-bulk-len" configuration parameter, leading to heap corruption and potentially remote code execution.
Clone Of:
Environment:
Last Closed:	2021-06-16 21:04:13 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:2461	0	None	None	None	2021-06-16 19:28:08 UTC
Red Hat Product Errata	RHSA-2021:3016	0	None	None	None	2021-08-06 00:50:27 UTC

Description Guilherme de Almeida Suckevicz 2021-02-24 19:55:06 UTC

Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger several integer overflow scenarios, which would result with buffer overflow and heap corruption.

Reference:
https://groups.google.com/g/redis-db/c/fV7cI3GSgoQ/m/ocwV-MlzAgAJ

Comment 1 Guilherme de Almeida Suckevicz 2021-02-24 19:55:36 UTC

Created redis tracking bugs for this issue:

Affects: epel-all [bug 1932636]
Affects: fedora-all [bug 1932635]

Comment 2 Tapas Jena 2021-02-25 11:21:52 UTC

The affected version of the vulnerable component i.e. Redis 4.0 is not being consumed by either Ansible Automation Platform Or Ansible Tower.

Comment 4 Nick Tait 2021-03-03 21:09:49 UTC

Upstream fix:
https://github.com/redis/redis/commit/d32f2e9999ce003bad0bd2c3bca29f64dcce4433

Comment 6 Mauro Matteo Cascella 2021-03-10 16:17:34 UTC

External References:

https://github.com/redis/redis/security/advisories/GHSA-hgj8-vff2-7cjf

Comment 8 Mauro Matteo Cascella 2021-03-19 15:10:16 UTC

Mitigation:

As recommended in the upstream advisory, this issue can be mitigated by preventing clients from directly executing `CONFIG SET`:
* Using Redis 6.0 or newer, ACL configuration can be used to block the command.
* Using older versions, the `rename-command` configuration directive can be used to rename the command to a random string unknown to users, rendering it inaccessible.

Comment 9 Mauro Matteo Cascella 2021-03-22 11:07:00 UTC

Statement:

This issue only affects 32-bit Redis. Red Hat Enterprise Linux 8 and Red Hat Software Collections are not affected by this issue because they do not provide support for 32-bit Redis. The following products are not affected because the vulnerable component (Redis 4.0) is not being consumed:
 * Red Hat Ansible Automation Platform
 * Red Hat Ansible Tower
 * Red Hat OpenStack Platform

Comment 13 errata-xmlrpc 2021-06-16 19:28:00 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:2461 https://access.redhat.com/errata/RHSA-2021:2461

Comment 14 Product Security DevOps Team 2021-06-16 21:04:13 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21309

Comment 15 errata-xmlrpc 2021-08-06 00:50:23 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016

Note You need to log in before you can comment on or make changes to this bug.

apevec
bcoca
chousekn
cmeyers
davidn
dbecker
fabian.deutsch
fpercoco
gblomqui
gghezzo
gparvin
hhorak
jal233
jcammara
jhardy
jjoyce
jobarker
jorton
jramanat
jschluet
jweiser
kaycoth
lberk
lhh
lpeer
mabashia
mburns
mgoodwin
nathans
notting
osapryki
rcollet
redis-maint
relrod
rhos-maint
sclewis
sdoran
slinaber
smcdonal
stcannon
thee
tkuratom
vmugicag