Bug 1957410 (CVE-2021-29477) - CVE-2021-29477 redis: Integer overflow via STRALGO LCS command
Summary: CVE-2021-29477 redis: Integer overflow via STRALGO LCS command
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-29477
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1957412 1957696 1957922 1957411 1957466 1957694 1957695 1957697 1957698 1957917 1957918 1957919 1957920 1957921
Blocks: 1957417
TreeView+ depends on / blocked
 
Reported: 2021-05-05 18:11 UTC by Pedro Sampaio
Modified: 2021-08-06 00:51 UTC (History)
43 users (show)

Fixed In Version: redis 6.2.3, redis 6.0.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in redis. An integer overflow bug could be exploited to corrupt the heap and potentially result with remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-05-19 14:33:50 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:51:19 UTC

Description Pedro Sampaio 2021-05-05 18:11:16 UTC
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.

References:

https://redis.io/
https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g

Comment 1 Pedro Sampaio 2021-05-05 18:12:00 UTC
Created redis tracking bugs for this issue:

Affects: epel-7 [bug 1957412]
Affects: fedora-all [bug 1957411]

Comment 5 Todd Cullum 2021-05-06 18:41:06 UTC
Statement:

redis:5/redis as shipped in Red Hat Enterprise Linux 8 is not affected by this flaw because it does not ship a vulnerable version of Redis.

Comment 8 Todd Cullum 2021-05-06 23:11:42 UTC
Flaw summary:

The line `uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));` in stralgoLCS() from  src/t_string.c allows for an unsigned integer wraparound to occur if (alen+1)*(blen+1)*sizeof(uint32_t) > UINT32_MAX. This could result in under allocation of memory for lcs, which subsequently allows for out-of-bounds writes and reads to occur when the memory is accessed in the loop below. This is a problem because alen and blen are obtained from a and b, which are in turn obtained from the client.

Comment 9 Todd Cullum 2021-05-06 23:15:35 UTC
Mitigation:

The flaw can be mitigated by disallowing usage of the STRALGO LCS command via ACL configuration. Please see https://redis.io/topics/acl for more information on how to do this.

Comment 10 Tapas Jena 2021-05-07 14:09:00 UTC
AAP 1.2 and Tower are "Not Affected" by this one as the current version of Redis in AAP 1.2 and Tower is 5.0.3 as shown below as well:

[root@ip-10-0-10-39 ~]# dnf list installed | grep redis
redis.x86_64                                  5.0.3-2.module+el8.0.0.z+3657+acb471dc     @rhel-8-appstream-rhui-rpms

Also, the affected functionality i.e. STRALGO LCS command is Not in Use anywhere in AAP 1.2 and Tower. In addition to this, for redis, we're just pulling from RHEL packages at this point.

Hence, marking this as "Not Affected".

Comment 11 Todd Cullum 2021-05-07 18:11:23 UTC
External References:

https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g

Comment 12 errata-xmlrpc 2021-05-19 10:14:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2034 https://access.redhat.com/errata/RHSA-2021:2034

Comment 13 Product Security DevOps Team 2021-05-19 14:33:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29477

Comment 14 errata-xmlrpc 2021-08-06 00:51:16 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016


Note You need to log in before you can comment on or make changes to this bug.