Bug 1980790 (CVE-2021-32625) - CVE-2021-32625 redis: Heap corruption via `STRALGO LCS` command (Incomplete fix for CVE-2021-29477)
Summary: CVE-2021-32625 redis: Heap corruption via `STRALGO LCS` command (Incomplete f...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-32625
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1981285 1981286 1981287 1981464
Blocks: 1980792
TreeView+ depends on / blocked
 
Reported: 2021-07-09 14:30 UTC by Pedro Sampaio
Modified: 2021-07-15 03:54 UTC (History)
41 users (show)

Fixed In Version: redis 6.2.4, redis 6.0.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Redis. An integer overflow could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-07-15 03:54:39 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-07-09 14:30:56 UTC 
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer (on 32-bit systems ONLY) can be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix for CVE-2021-29477 which only addresses the problem on 64-bit systems but fails to do that for 32-bit. 64-bit systems are not affected. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the `redis-server` executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.

References:

https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq
https://github.com/redis/redis/releases/tag/6.0.14
https://github.com/redis/redis/releases/tag/6.2.4
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/
Comment 2 Mauro Matteo Cascella 2021-07-12 09:27:36 UTC 
Upstream PR:
https://github.com/redis/redis/pull/9011

Upstream fix:
https://github.com/redis/redis/commit/1ddecf1 [unstable]
https://github.com/redis/redis/commit/e9a1438 [6.2]
https://github.com/redis/redis/commit/dd27c4e [6.0]
Comment 5 Tapas Jena 2021-07-13 09:26:50 UTC 
Analysis is complete for Ansible components and it was found that None of the ansible components do use the affected version of Redis i.e. 6.0 or newer. The current version of Redis in AAP 1.2 and AAP 2.0 is 5.0.5 and 5.0.3 respectively as shown below:

AAP 1.2
[root@localhost vagrant]# rpm -qi rh-redis5-redis-5.0.5-1.el7.x86_64
Name        : rh-redis5-redis
Version     : 5.0.5
Release     : 1.el7
Architecture: x86_64

AAP 2.0
[root@ip-10-0-11-92 ec2-user]# rpm -qi redis-5.0.3-2.module+el8.0.0.z+3657+acb471dc.x86_64
Name        : redis
Version     : 5.0.3
Release     : 2.module+el8.0.0.z+3657+acb471dc
Architecture: x86_64

Apart from the affected version, Redis is not directly embedded into any Ansible component.Its being consumed RHEL.

Hence, marking Ansible as "Not Affected" by this bug/vulnerability.
Comment 6 Product Security DevOps Team 2021-07-15 03:54:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32625
Note You need to log in before you can comment on or make changes to this bug.