Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution. Redis 6.0 and earlier are not directly affected by this issue. The problem is fixed in version 6.2.3. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `set-max-intset-entries` configuration parameter. This can be done using ACL to restrict unprivileged users from using the `CONFIG SET` command.
Created redis tracking bugs for this issue:
Affects: epel-7 [bug 1957416]
Affects: fedora-all [bug 1957415]
The flaw can be mitigated by disallowing usage of the CONFIG SET command via ACL configuration. This will prevent clients from setting the set-max-intset-entries configuration parameter. Please see https://redis.io/topics/acl for more information on how to do this.
AAP 1.2 and Tower are "Not Affected" by this one as the current version of Redis in AAP 1.2 and Tower is 5.0.3 as shown below as well:
[root@ip-10-0-10-39 ~]# dnf list installed | grep redis
redis.x86_64 5.0.3-2.module+el8.0.0.z+3657+acb471dc @rhel-8-appstream-rhui-rpms
Also, the affected functionality i.e. COPY command is Not Explicitly allowed in AAP 1.2 and Tower. In addition to this, for redis, we're just pulling from RHEL packages at this point.
Hence, marking this as "Not Affected".
redis:6/redis and redis:5/redis shipped in Red Hat Enterprise Linux 8 are not affected by this flaw as they do not ship vulnerable versions of Redis.
The versions of Redis provided by Red Hat OpenStack Platform are not directly affected by this issue. As a result the impact is lowered and no update will be provided at this time.
In src/intset.c's intsetBlobLen() routine there is the following line:
If the result of `intrev32ifbe(is->length)*intrev32ifbe(is->encoding)` > UINT32_MAX, then this will cause an unsigned integer wraparound. The incorrect result will then be added to sizeof(intset) and returned. Therefore there will be an incorrect intset blob size. This is a problem because the return value of this function is e.g. used in `intset *newis = zmalloc(size);` to control memory allocation in setTypeDup() of t_set.c. This means the the integer wraparound can lead to incorrect memory allocations, which can subsequently lead to out-of-bounds write and read operations. It can be set by setting the set-max-intset-entries configuration parameter (using CONFIG SET command) to a large number, controlling is->encoding and causing the wraparound to occur.
This issue has been addressed in the following products:
Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):