Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command. References: https://redis.io/ https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g
Created redis tracking bugs for this issue: Affects: epel-7 [bug 1957412] Affects: fedora-all [bug 1957411]
Upstream patches: https://github.com/redis/redis/commit/92e3b1802f72ca0c5b0bde97f01d9b57a758d85c https://github.com/redis/redis/commit/394614a5f91d88380f480c4610926a865b5b0f16
Statement: redis:5/redis as shipped in Red Hat Enterprise Linux 8 is not affected by this flaw because it does not ship a vulnerable version of Redis.
Flaw summary: The line `uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));` in stralgoLCS() from src/t_string.c allows for an unsigned integer wraparound to occur if (alen+1)*(blen+1)*sizeof(uint32_t) > UINT32_MAX. This could result in under allocation of memory for lcs, which subsequently allows for out-of-bounds writes and reads to occur when the memory is accessed in the loop below. This is a problem because alen and blen are obtained from a and b, which are in turn obtained from the client.
Mitigation: The flaw can be mitigated by disallowing usage of the STRALGO LCS command via ACL configuration. Please see https://redis.io/topics/acl for more information on how to do this.
AAP 1.2 and Tower are "Not Affected" by this one as the current version of Redis in AAP 1.2 and Tower is 5.0.3 as shown below as well: [root@ip-10-0-10-39 ~]# dnf list installed | grep redis redis.x86_64 5.0.3-2.module+el8.0.0.z+3657+acb471dc @rhel-8-appstream-rhui-rpms Also, the affected functionality i.e. STRALGO LCS command is Not in Use anywhere in AAP 1.2 and Tower. In addition to this, for redis, we're just pulling from RHEL packages at this point. Hence, marking this as "Not Affected".
External References: https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2034 https://access.redhat.com/errata/RHSA-2021:2034
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29477
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016