Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer (on 32-bit systems ONLY) can be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix for CVE-2021-29477 which only addresses the problem on 64-bit systems but fails to do that for 32-bit. 64-bit systems are not affected. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the `redis-server` executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.
Analysis is complete for Ansible components and it was found that None of the ansible components do use the affected version of Redis i.e. 6.0 or newer. The current version of Redis in AAP 1.2 and AAP 2.0 is 5.0.5 and 5.0.3 respectively as shown below:
[root@localhost vagrant]# rpm -qi rh-redis5-redis-5.0.5-1.el7.x86_64
Name : rh-redis5-redis
Version : 5.0.5
Release : 1.el7
[root@ip-10-0-11-92 ec2-user]# rpm -qi redis-5.0.3-2.module+el8.0.0.z+3657+acb471dc.x86_64
Name : redis
Version : 5.0.3
Release : 2.module+el8.0.0.z+3657+acb471dc
Apart from the affected version, Redis is not directly embedded into any Ansible component.Its being consumed RHEL.
Hence, marking Ansible as "Not Affected" by this bug/vulnerability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):