Headline
CVE-2021-32761
Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis *BIT* command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching theredis-serverexecutable is to prevent users from modifying theproto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
Impact
On 32-bit versions, Redis BITFIELD command is vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves constructing specially crafted bit commands which overflow the bit offset.
This problem only affects 32-bit versions of Redis.
Patches
The problem is fixed in Redis 6.2.5, 6.0.15, 5.0.13.
Workarounds
An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from using the BITFIELD command. This can be done using ACL in Redis 6.0 and above.
Credit
This issue was discovered and reported by Huang Zhw.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Redis repository
- Email us at [email protected]
Related news
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Gentoo Linux Security Advisory 202209-17 - Multiple vulnerabilities have been found in Redis, the worst of which could result in arbitrary code execution. Versions less than 7.0.5 are affected.