Bug 1957414 (CVE-2021-29478) - CVE-2021-29478 redis: Integer overflow via COPY command for large intsets
Summary: CVE-2021-29478 redis: Integer overflow via COPY command for large intsets
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-29478
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1957416 1957723 1957912 1957415 1957465 1957720 1957721 1957722 1957724 1957915 1957916
Blocks: 1957417
TreeView+ depends on / blocked
 
Reported: 2021-05-05 18:14 UTC by Pedro Sampaio
Modified: 2021-08-06 01:07 UTC (History)
41 users (show)

Fixed In Version: redis 6.2.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in redis. An integer overflow bug could be exploited to corrupt the heap and potentially result with remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-08-06 01:07:26 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:51:26 UTC

Description Pedro Sampaio 2021-05-05 18:14:39 UTC
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution. Redis 6.0 and earlier are not directly affected by this issue. The problem is fixed in version 6.2.3. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `set-max-intset-entries` configuration parameter. This can be done using ACL to restrict unprivileged users from using the `CONFIG SET` command.

References:

https://github.com/redis/redis/security/advisories/GHSA-qh52-crrg-44g3
https://redis.io/

Comment 1 Pedro Sampaio 2021-05-05 18:15:29 UTC
Created redis tracking bugs for this issue:

Affects: epel-7 [bug 1957416]
Affects: fedora-all [bug 1957415]

Comment 9 Todd Cullum 2021-05-06 23:27:44 UTC
Mitigation:

The flaw can be mitigated by disallowing usage of the CONFIG SET command via ACL configuration. This will prevent clients from setting the set-max-intset-entries configuration parameter. Please see https://redis.io/topics/acl for more information on how to do this.

Comment 10 Tapas Jena 2021-05-07 14:11:32 UTC
AAP 1.2 and Tower are "Not Affected" by this one as the current version of Redis in AAP 1.2 and Tower is 5.0.3 as shown below as well:

[root@ip-10-0-10-39 ~]# dnf list installed | grep redis
redis.x86_64                                  5.0.3-2.module+el8.0.0.z+3657+acb471dc     @rhel-8-appstream-rhui-rpms

Also, the affected functionality i.e. COPY command is Not Explicitly allowed in AAP 1.2 and Tower. In addition to this, for redis, we're just pulling from RHEL packages at this point.

Hence, marking this as "Not Affected".

Comment 11 Nick Tait 2021-05-07 16:06:50 UTC
Statement:

redis:6/redis and redis:5/redis shipped in Red Hat Enterprise Linux 8 are not affected by this flaw as they do not ship vulnerable versions of Redis.

The versions of Redis provided by Red Hat OpenStack Platform are not directly affected by this issue. As a result the impact is lowered and no update will be provided at this time.

Comment 12 Todd Cullum 2021-05-07 18:12:03 UTC
External References:

https://github.com/redis/redis/security/advisories/GHSA-qh52-crrg-44g3

Comment 13 Todd Cullum 2021-05-10 20:04:08 UTC
Flaw summary:

In src/intset.c's intsetBlobLen() routine there is the following line:

return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding);

If the result of `intrev32ifbe(is->length)*intrev32ifbe(is->encoding)` > UINT32_MAX, then this will cause an unsigned integer wraparound. The incorrect result will then be added to sizeof(intset) and returned. Therefore there will be an incorrect intset blob size. This is a problem because the return value of this function is e.g. used in `intset *newis = zmalloc(size);` to control memory allocation in setTypeDup() of t_set.c. This means the the integer wraparound can lead to incorrect memory allocations, which can subsequently lead to out-of-bounds write and read operations. It can be set by setting the set-max-intset-entries configuration parameter (using CONFIG SET command) to a large number, controlling is->encoding and causing the wraparound to occur.

Comment 22 errata-xmlrpc 2021-08-06 00:51:22 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016

Comment 23 Product Security DevOps Team 2021-08-06 01:07:26 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29478


Note You need to log in before you can comment on or make changes to this bug.