CVE-2021-32672: Vulnerability in Lua Debugger in Redis
First published: Mon Oct 04 2021(Updated: )
Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/redis | 5:5.0.14-1+deb10u2 5:5.0.14-1+deb10u5 5:6.0.16-1+deb11u2 5:7.0.11-1 5:7.0.14-1 | |
| redhat/redis | <6.2.6 | 6.2.6 |
| redhat/redis | <6.0.16 | 6.0.16 |
| redhat/redis | <5.0.14 | 5.0.14 |
| Redis | >=3.2.0<5.0.14 | |
| Redis | >=6.0.0<6.0.16 | |
| Redis | >=6.2.0<6.2.6 | |
| redhat software collections | ||
| Red Hat Enterprise Linux | =8.0 | |
| Debian | =10.0 | |
| Debian | =11.0 | |
| Fedora | =33 | |
| Fedora | =34 | |
| Fedora | =35 | |
| netapp management services for element software | ||
| NetApp Management Services for NetApp HCI | ||
| Oracle Communications Operations Monitor | =4.3 | |
| Oracle Communications Operations Monitor | =4.4 | |
| Oracle Communications Operations Monitor | =5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-32672 https://nvd.nist.gov/vuln/detail/CVE-2021-32672 https://github.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxm
- https://bugzilla.redhat.com/show_bug.cgi?id=2011001
- https://access.redhat.com/errata/RHSA-2021:3925
- https://access.redhat.com/security/cve/cve-2021-32672
- https://github.com/redis/redis/commit/6ac3c0b7abd35f37201ed2d6298ecef4ea1ae1dd
- https://github.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxm
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
- https://security.gentoo.org/glsa/202209-17
- https://security.netapp.com/advisory/ntap-20211104-0003/
- https://www.debian.org/security/2021/dsa-5001
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security-tracker.debian.org/tracker/CVE-2021-32672
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2012198
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2012197
- https://access.redhat.com/errata/RHSA-2021:3873
- https://access.redhat.com/errata/RHSA-2021:3949
- https://access.redhat.com/errata/RHSA-2021:4618
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
Frequently Asked Questions
What is CVE-2021-32672?
CVE-2021-32672 is a vulnerability in Redis that allows users to send malformed requests to the Redis Lua Debugger.
How severe is CVE-2021-32672?
CVE-2021-32672 has a severity rating of 4.3, which is considered medium.
What versions of Redis are affected by CVE-2021-32672?
This vulnerability affects all versions of Redis with Lua debugging support (3.2 or newer).
How can I fix CVE-2021-32672?
To fix CVE-2021-32672, you should update Redis to version 6.2.6 or apply the appropriate remediation provided by your operating system or package manager.
Where can I find more information about CVE-2021-32672?
You can find more information about CVE-2021-32672 on the GitHub security advisory page (https://github.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxm) or the Redis GitHub repository (https://github.com/redis/redis/commit/6ac3c0b7abd35f37201ed2d6298ecef4ea1ae1dd).
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-32672
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/references
- agent/severity
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- package-manager/redhat
- vendor/redis
- canonical/redis
- version/redis/3.2.0
- version/redis/6.0.0
- version/redis/6.2.0
- vendor/redhat
- canonical/redhat software collections
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- vendor/debian
- canonical/debian
- version/debian/10.0
- version/debian/11.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/33
- version/fedora/34
- version/fedora/35
- vendor/netapp
- canonical/netapp management services for element software
- canonical/netapp management services for netapp hci
- vendor/oracle
- canonical/oracle communications operations monitor
- version/oracle communications operations monitor/4.3
- version/oracle communications operations monitor/4.4
- version/oracle communications operations monitor/5.0