CVE-2021-41099

Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

CVSS v3 7.5 HIGH
CVSS v2.0 6.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:P

Exploitability : 6.8 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/redis/redis/commit/c6ad876774f3cc11e32681ea02a2eead00f2c521	Patch Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-j3cr-9h5g-6cph	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17	Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5001	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://github.com/redis/redis/commit/c6ad876774f3cc11e32681ea02a2eead00f2c521	Patch Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-j3cr-9h5g-6cph	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17	Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5001	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redis:redis::::::::
	cpe:2.3:a:redis:redis::::::::
	cpe:2.3:a:redis:redis::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 (hide)

cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*

Configuration 5 (hide)

OR	cpe:2.3:a:oracle:communications_operations_monitor:4.3:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:4.4:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:5.0:::::::*

History

21 Nov 2024, 06:25

Type	Values Removed	Values Added
References	~~() https://github.com/redis/redis/commit/c6ad876774f3cc11e32681ea02a2eead00f2c521 - Patch, Third Party Advisory~~	() https://github.com/redis/redis/commit/c6ad876774f3cc11e32681ea02a2eead00f2c521 - Patch, Third Party Advisory
References	~~() https://github.com/redis/redis/security/advisories/GHSA-j3cr-9h5g-6cph - Third Party Advisory~~	() https://github.com/redis/redis/security/advisories/GHSA-j3cr-9h5g-6cph - Third Party Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ -
References	~~() https://security.gentoo.org/glsa/202209-17 - Third Party Advisory~~	() https://security.gentoo.org/glsa/202209-17 - Third Party Advisory
References	~~() https://security.netapp.com/advisory/ntap-20211104-0003/ - Third Party Advisory~~	() https://security.netapp.com/advisory/ntap-20211104-0003/ - Third Party Advisory
References	~~() https://www.debian.org/security/2021/dsa-5001 - Third Party Advisory~~	() https://www.debian.org/security/2021/dsa-5001 - Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory

07 Nov 2023, 03:38

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/', 'name': 'FEDORA-2021-8913c7900c', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/', 'name': 'FEDORA-2021-61c487f241', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/', 'name': 'FEDORA-2021-aa94492a09', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ -

Information

Published : 2021-10-04 18:15

Updated : 2024-11-21 06:25

NVD link : CVE-2021-41099

Mitre link : CVE-2021-41099

CVE.ORG link : CVE-2021-41099

JSON object : View

Products Affected

debian

debian_linux

fedoraproject

fedora

redis

redis

netapp

management_services_for_element_software_and_netapp_hci

oracle

communications_operations_monitor

CWE

CWE-190

Integer Overflow or Wraparound

CWE-680

Integer Overflow to Buffer Overflow

7.5 /10