Bug 1185729 (CVE-2021-29477) - VUL-0: CVE-2021-29477: redis: Integer overflow via STRALGO LCS command
Summary: VUL-0: CVE-2021-29477: redis: Integer overflow via STRALGO LCS command
Status: RESOLVED FIXED
Alias: CVE-2021-29477
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/283436/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-29477:8.8:(AV:...
Keywords:
Depends on:
Blocks: CVE-2021-32625
  Show dependency treegraph
 
Reported: 2021-05-06 14:46 UTC by Gianluca Gabrielli
Modified: 2023-01-25 19:16 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-06 14:46:32 UTC 
CVE-2021-29477

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.

References:

https://redis.io/
https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1957410
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29477
https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29477
https://redis.io/
Comment 1 Gianluca Gabrielli 2021-05-06 14:50:25 UTC 
Affected versions: <6.2.3, <6.0.13
Fixed versions:     6.2.3,  6.0.13

Affected packages:

 - SUSE:SLE-15:Update/redis 6.0.10
 - openSUSE:Factory/redis   6.2.2

Upstream patch can be found here [0].

[0] https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9.patch
Comment 2 OBSbugzilla Bot 2021-05-06 18:40:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1185729) was mentioned in
https://build.opensuse.org/request/show/891113 15.2 / redis
Comment 3 Swamp Workflow Management 2021-05-07 22:16:01 UTC 
openSUSE-SU-2021:0682-1: An update that solves three vulnerabilities, contains 8 features and has one errata is now available.

Category: security (important)
Bug References: 1178205,1182657,1185729,1185730
CVE References: CVE-2021-21309,CVE-2021-29477,CVE-2021-29478
JIRA References: ECO-2417,ECO-2867,PM-1547,PM-1615,PM-1622,PM-1681,SLE-11578,SLE-12821
Sources used:
openSUSE Leap 15.2 (src):    redis-6.0.13-lp152.2.3.1
Comment 4 Jan Zerebecki 2021-05-10 13:43:11 UTC 
https://build.suse.de/request/show/240895
Comment 5 Swamp Workflow Management 2021-05-19 16:28:24 UTC 
SUSE-SU-2021:1652-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182657,1185729,1185730
CVE References: CVE-2021-21309,CVE-2021-29477,CVE-2021-29478
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    redis-6.0.13-1.10.1
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    redis-6.0.13-1.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Carlos López 2022-06-10 12:38:41 UTC 
Done, closing.