CVE-2021-32625 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary code execution
Description	An integer overflow bug in Redis versions 6.0 up to 6.2.3 can be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. This is a result of an incomplete fix of CVE-2021-29477.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2022	redis	6.2.3-1	6.2.4-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
01 Jun 2021	ASA-202106-12	AVG-2022	redis	High	arbitrary code execution

References
https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq https://github.com/redis/redis/pull/9011 https://github.com/redis/redis/pull/9019 https://github.com/redis/redis/commit/e9a1438ac4c52aa68dfa2a8324b6419356842116

References

https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq
https://github.com/redis/redis/pull/9011
https://github.com/redis/redis/pull/9019
https://github.com/redis/redis/commit/e9a1438ac4c52aa68dfa2a8324b6419356842116

Notes
Workaround ========== A workaround to mitigate the problem is to use an ACL configuration to prevent clients from using the STRALGO LCS command. On systems running Redis version 6.2.3, it is sufficient to make sure that the proto-max-bulk-len config parameter is smaller than 2GB (default is 512MB).

Notes

Workaround
==========

A workaround to mitigate the problem is to use an ACL configuration to prevent clients from using the STRALGO LCS command.

On systems running Redis version 6.2.3, it is sufficient to make sure that the proto-max-bulk-len config parameter is smaller than 2GB (default is 512MB).