Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger several integer overflow scenarios, which would result with buffer overflow and heap corruption. Reference: https://groups.google.com/g/redis-db/c/fV7cI3GSgoQ/m/ocwV-MlzAgAJ
Created redis tracking bugs for this issue: Affects: epel-all [bug 1932636] Affects: fedora-all [bug 1932635]
The affected version of the vulnerable component i.e. Redis 4.0 is not being consumed by either Ansible Automation Platform Or Ansible Tower.
Upstream fix: https://github.com/redis/redis/commit/d32f2e9999ce003bad0bd2c3bca29f64dcce4433
External References: https://github.com/redis/redis/security/advisories/GHSA-hgj8-vff2-7cjf
Mitigation: As recommended in the upstream advisory, this issue can be mitigated by preventing clients from directly executing `CONFIG SET`: * Using Redis 6.0 or newer, ACL configuration can be used to block the command. * Using older versions, the `rename-command` configuration directive can be used to rename the command to a random string unknown to users, rendering it inaccessible.
Statement: This issue only affects 32-bit Redis. Red Hat Enterprise Linux 8 and Red Hat Software Collections are not affected by this issue because they do not provide support for 32-bit Redis. The following products are not affected because the vulnerable component (Redis 4.0) is not being consumed: * Red Hat Ansible Automation Platform * Red Hat Ansible Tower * Red Hat OpenStack Platform
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:2461 https://access.redhat.com/errata/RHSA-2021:2461
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-21309
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016