Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer (on 32-bit systems ONLY) can be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix for CVE-2021-29477 which only addresses the problem on 64-bit systems but fails to do that for 32-bit. 64-bit systems are not affected. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the `redis-server` executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command. References: https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq https://github.com/redis/redis/releases/tag/6.0.14 https://github.com/redis/redis/releases/tag/6.2.4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/
Upstream PR: https://github.com/redis/redis/pull/9011 Upstream fix: https://github.com/redis/redis/commit/1ddecf1 [unstable] https://github.com/redis/redis/commit/e9a1438 [6.2] https://github.com/redis/redis/commit/dd27c4e [6.0]
Analysis is complete for Ansible components and it was found that None of the ansible components do use the affected version of Redis i.e. 6.0 or newer. The current version of Redis in AAP 1.2 and AAP 2.0 is 5.0.5 and 5.0.3 respectively as shown below: AAP 1.2 [root@localhost vagrant]# rpm -qi rh-redis5-redis-5.0.5-1.el7.x86_64 Name : rh-redis5-redis Version : 5.0.5 Release : 1.el7 Architecture: x86_64 AAP 2.0 [root@ip-10-0-11-92 ec2-user]# rpm -qi redis-5.0.3-2.module+el8.0.0.z+3657+acb471dc.x86_64 Name : redis Version : 5.0.3 Release : 2.module+el8.0.0.z+3657+acb471dc Architecture: x86_64 Apart from the affected version, Redis is not directly embedded into any Ansible component.Its being consumed RHEL. Hence, marking Ansible as "Not Affected" by this bug/vulnerability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-32625