CVE-2021-29478

Impact

An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution.

The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it.

The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2).

Patches

The problem is fixed in version 6.2.3.

Redis 6.0 and earlier are not directly affected by this issue but should be upgraded as they are potentially vulnerable to other issues due to lack of RDB and RESTORE payload sanitization, which was introduced in 6.2.0.

Workarounds

An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

For more information

If you have any questions or comments about this advisory:

• Open an issue in the Redis repository
• Email us at [email protected]