Headline
CVE-2021-29477: Redis
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS
command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the STRALGO LCS
command.
Redis
The open source, in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker.
HSET user:1 name antirez vocation artist SET e 2.71 INCRBYFLOAT e 0.43 RENAME e pi PING
A vibrant, open source database
Voted the most-loved database for 5 years running, Redis is at the center of an engaged community of developers, architects, and open source contributors.
4B+ Docker pulls
50K+ Github stars
50+ Supported programing languages
Core capabilities
In-memory data structures
Well-known as a "data structure server", with support for strings, hashes, lists, sets, sorted sets, streams, and more.
Learn more
Programmability
Server-side scripting with Lua and server-side stored procedures with Redis Functions.
Learn more
Extensibility
A module API for building custom extensions to Redis in C, C++, and Rust.
Learn more
Persistence
Keeps the dataset in memory for fast access, but can also persist all writes to permanent storage to survive reboots and system failures.
Learn more
Clustering
Horizontal scalability with hash-based sharding, scaling to millions of nodes with automatic re-partitioning when growing the cluster.
Learn more
High availability
Replication with automatic failover for both standalone and clustered deployments.
Learn more
Use cases
Real-time data store
Redis’ versatile in-memory data structures let you build data infrastructure for real-time applications requiring low latency and high-throughput.
Caching & session storage
Redis’ speed makes it ideal for caching database queries, complex computations, API calls, and session state.
Streaming & messaging
The stream data type enables high-speed data ingestion, messaging, event sourcing, and notifications.
Redis Stack
Redis Stack extends Redis with modern data models and processing engines to provide a complete developer experience. Download the source, install using your favorite package manager, or spin it up for free in the cloud.
Visualize and optimize your Redis data with RedisInsight.
Redis Stack use cases
Searchable Redis
Index and query Redis data structures and data models. Run complex aggregations and full-text search on your Redis data.
Document database
Model domain entirely in Redis and efficiently query your JSON data without ever having to use a cache.
Telemetry
Ingest continuous readings from devices in the field, storing them as time series data or analyzing and de-duplicating with probabilistic data structures.
Identity and resource management
Define digital resources and ACLs as a graph, and compute permissions in real-time with a single Cypher query.
Vector similarity search
Query vector embeddings to power image search, recommendation engines, and natural language text processing.
Fraud detection
Detect fraud in real time with graph analysis, probabilistic queries, vector search, and stream processing.
Get started
Related news
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer, could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the STRALGO LCS command. On 64 bit systems which have the fixes of CVE-2021-29477 (6.2.3 or 6.0.13), it is sufficient to make sure that the proto-max-bulk-len config parameter is smaller than 2GB (default is 512MB).