high
7.5
CWE
125 680 190 119
Advisory Published
Updated

CVE-2021-32761: Integer overflow issues with *BIT commands on 32-bit systems

First published: Wed Jul 21 2021(Updated: )

Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Redislabs Redis>=2.2.0<5.0.13
Redislabs Redis>=6.0<6.0.15
Redislabs Redis>=6.2.0<6.2.5
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Fedoraproject Fedora=33
Fedoraproject Fedora=34
debian/redis
5:5.0.14-1+deb10u2
5:5.0.14-1+deb10u5
5:6.0.16-1+deb11u2
5:7.0.11-1
5:7.0.14-1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2021-32761?

    CVE-2021-32761 is a vulnerability in Redis, an in-memory database, that allows for out-of-bounds read, integer overflow, and buffer overflow attacks.

  • What versions of Redis are affected by CVE-2021-32761?

    Redis versions prior to 5.0.13, 6.0.15, and 6.2.5 are affected by CVE-2021-32761.

  • How severe is CVE-2021-32761?

    CVE-2021-32761 has a severity rating of 7.5 (high).

  • What is the impact of CVE-2021-32761?

    CVE-2021-32761 can lead to out-of-bounds read, integer overflow, and buffer overflow attacks, potentially allowing an attacker to execute arbitrary code or cause a denial of service.

  • How can I mitigate the vulnerability CVE-2021-32761 in Redis?

    To mitigate CVE-2021-32761, it is recommended to update Redis to versions 5.0.13, 6.0.15, or 6.2.5 or later, depending on the currently installed version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203