CVE-2021-32625 log

Severity High
Remote Yes
Type Arbitrary code execution
An integer overflow bug in Redis versions 6.0 up to 6.2.3 can be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. This is a result of an incomplete fix of CVE-2021-29477.
Group Package Affected Fixed Severity Status Ticket
AVG-2022 redis 6.2.3-1 6.2.4-1 High Fixed
Date Advisory Group Package Severity Type
01 Jun 2021 ASA-202106-12 AVG-2022 redis High arbitrary code execution

A workaround to mitigate the problem is to use an ACL configuration to prevent clients from using the STRALGO LCS command.

On systems running Redis version 6.2.3, it is sufficient to make sure that the proto-max-bulk-len config parameter is smaller than 2GB (default is 512MB).