1980790 – (CVE-2021-32625) CVE-2021-32625 redis: Heap corruption via `STRALGO LCS` command (Incomplete fix for CVE-2021-29477)

Bug 1980790 (CVE-2021-32625) - CVE-2021-32625 redis: Heap corruption via `STRALGO LCS` command (Incomplete fix for CVE-2021-29477)

Summary: CVE-2021-32625 redis: Heap corruption via `STRALGO LCS` command (Incomplete f...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-32625
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1981285 1981286 1981287 1981464
Blocks:	1980792
TreeView+	depends on / blocked

Reported:	2021-07-09 14:30 UTC by Pedro Sampaio
Modified:	2021-07-15 03:54 UTC (History)
CC List:	41 users (show)
Fixed In Version:	redis 6.2.4, redis 6.0.14
Clone Of:
Environment:
Last Closed:	2021-07-15 03:54:39 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-07-09 14:30:56 UTC

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer (on 32-bit systems ONLY) can be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix for CVE-2021-29477 which only addresses the problem on 64-bit systems but fails to do that for 32-bit. 64-bit systems are not affected. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the `redis-server` executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.

References:

https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq
https://github.com/redis/redis/releases/tag/6.0.14
https://github.com/redis/redis/releases/tag/6.2.4
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/

Comment 2 Mauro Matteo Cascella 2021-07-12 09:27:36 UTC

Upstream PR:
https://github.com/redis/redis/pull/9011

Upstream fix:
https://github.com/redis/redis/commit/1ddecf1 [unstable]
https://github.com/redis/redis/commit/e9a1438 [6.2]
https://github.com/redis/redis/commit/dd27c4e [6.0]

Comment 5 Tapas Jena 2021-07-13 09:26:50 UTC

Analysis is complete for Ansible components and it was found that None of the ansible components do use the affected version of Redis i.e. 6.0 or newer. The current version of Redis in AAP 1.2 and AAP 2.0 is 5.0.5 and 5.0.3 respectively as shown below:

AAP 1.2
[root@localhost vagrant]# rpm -qi rh-redis5-redis-5.0.5-1.el7.x86_64
Name        : rh-redis5-redis
Version     : 5.0.5
Release     : 1.el7
Architecture: x86_64

AAP 2.0
[root@ip-10-0-11-92 ec2-user]# rpm -qi redis-5.0.3-2.module+el8.0.0.z+3657+acb471dc.x86_64
Name        : redis
Version     : 5.0.3
Release     : 2.module+el8.0.0.z+3657+acb471dc
Architecture: x86_64

Apart from the affected version, Redis is not directly embedded into any Ansible component.Its being consumed RHEL.

Hence, marking Ansible as "Not Affected" by this bug/vulnerability.

Comment 6 Product Security DevOps Team 2021-07-15 03:54:39 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32625

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
apevec
bcoca
caswilli
chousekn
cmeyers
davidn
dbecker
fabian.deutsch
fedora
fpercoco
gblomqui
gghezzo
gparvin
jal233
jcammara
jhardy
jjoyce
jobarker
jramanat
jschluet
kaycoth
lhh
lpeer
mabashia
mburns
mgoodwin
nathans
notting
osapryki
rcollet
redis-maint
relrod
rpetrell
sclewis
sdoran
slinaber
smcdonal
stcannon
tkuratom
vmugicag