2163133 – (CVE-2022-35977) CVE-2022-35977 redis: Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands may result with false OOM panic

Bug 2163133 (CVE-2022-35977) - CVE-2022-35977 redis: Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands may result with false OOM panic

Summary: CVE-2022-35977 redis: Integer overflow in the Redis SETRANGE and SORT/SORT_RO...

Keywords:
Status:	NEW
Alias:	CVE-2022-35977
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2163188 2163189 2163190 2163191 2163192 2163193 2163194 2163195 2163196 2163380 2163381 2169703
Blocks:	2161476
TreeView+	depends on / blocked

Reported:	2023-01-23 07:38 UTC by Sandipan Roy
Modified:	2025-05-15 08:28 UTC (History)
CC List:	81 users (show)
Fixed In Version:	redis 7.0.8, redis 6.2.9, redis 6.0.17
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2025:0698	0	None	None	None	2025-01-27 02:35:06 UTC
Red Hat Product Errata	RHSA-2025:0595	0	None	None	None	2025-01-22 10:35:48 UTC

Description Sandipan Roy 2023-01-23 07:38:12 UTC

Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic. The problem is fixed in Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for this vulnerability.

https://github.com/redis/redis/security/advisories/GHSA-mrcw-fhw9-fj8j
https://github.com/redis/redis/commit/1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7
https://github.com/redis/redis/releases/tag/6.0.17
https://github.com/redis/redis/releases/tag/6.2.9
https://github.com/redis/redis/releases/tag/7.0.8

Comment 1 Sandipan Roy 2023-01-23 07:45:04 UTC

Created pymodbus tracking bugs for this issue:

Affects: fedora-37 [bug 2163192]


Created python-rq tracking bugs for this issue:

Affects: epel-8 [bug 2163190]


Created redis tracking bugs for this issue:

Affects: epel-7 [bug 2163189]
Affects: fedora-36 [bug 2163191]
Affects: fedora-37 [bug 2163193]

Comment 13 errata-xmlrpc 2025-01-22 10:35:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:0595 https://access.redhat.com/errata/RHSA-2025:0595

Note You need to log in before you can comment on or make changes to this bug.

adudiak
aileenc
akostadi
alcohan
amackenz
amasferr
apevec
bbuckingham
bcoca
bcourt
bdettelb
brking
cbartlet
chazlett
cwelton
davidn
dmayorov
doconnor
eglynn
ehelms
epacific
ggainey
gmalinko
gparvin
haoli
hhorak
hkataria
janstey
jcammara
jhardy
jjoyce
jlledo
jmitchel
jneedle
jobarker
jorton
jschluet
jsherril
juwatts
jwon
kegrant
koliveir
kshier
lhh
lsvaty
lzap
mabashia
mburns
mgarciac
mhulan
mkudlej
mmakovy
nathans
njean
nmoumoul
omaciel
orabin
owatkins
pahickey
pbraun
pcreech
pdelbell
pgrist
rchan
rcollet
redis-maint
rhaigner
rhos-maint
rstepani
shvarugh
simaishi
smallamp
smcdonal
spower
stcannon
teagle
tfister
thavo
tjochec
yguenane
zsadeh