Bug 1188598 - (CVE-2021-32761) VUL-0: CVE-2021-32761: redis: integer overflow to buffer overflow can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution
(CVE-2021-32761)
VUL-0: CVE-2021-32761: redis: integer overflow to buffer overflow can potenti...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Jan Zerebecki
E-mail List
https://smash.suse.de/issue/304912/
CVSSv3.1:SUSE:CVE-2021-32761:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-22 06:54 UTC by Alexander Bergmann
Modified: 2023-01-25 19:16 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-07-22 06:54:12 UTC
CVE-2021-32761

Redis is an in-memory database that persists on disk. A vulnerability involving
out-of-bounds read and integer overflow to buffer overflow exists starting with
version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems,
Redis `*BIT*` command are vulnerable to integer overflow that can potentially be
exploited to corrupt the heap, leak arbitrary heap contents or trigger remote
code execution. The vulnerability involves changing the default
`proto-max-bulk-len` configuration parameter to a very large value and
constructing specially crafted commands bit commands. This problem only affects
Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions
5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional
workaround to mitigate the problem without patching the `redis-server`
executable is to prevent users from modifying the `proto-max-bulk-len`
configuration parameter. This can be done using ACL to restrict unprivileged
users from using the CONFIG SET command.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32761
https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj
Comment 1 Alexander Bergmann 2021-07-22 06:54:43 UTC
"This problem only affects 32-bit versions of Redis."

Closing bug as INVALID.
Comment 2 Andreas Stieger 2021-07-22 12:21:46 UTC
Reopening: Factory ships redis-6.2.4-2.1.i586.rpm
Comment 3 Andreas Stieger 2021-07-22 14:01:00 UTC
https://build.opensuse.org/request/show/907768
Comment 4 Andreas Stieger 2021-07-22 14:16:06 UTC
https://build.opensuse.org/request/show/907772