CVE-2021-32761 - log back

CVE-2021-32761 edited at 22 Jul 2021 08:17:38
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Arbitrary code execution
Description
+ A security issue has been found in Redis before version 6.2.5. In 32-bit versions, the Redis BITFIELD command is vulnerable to an integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves constructing specially crafted bit commands which overflow the bit offset.
References
+ https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj
+ https://github.com/redis/redis/pull/9191
+ https://github.com/redis/redis/commit/835d15b5360e277e6f95529c4d8685946a977ddd
Notes
+ Workaround
+ ==========
+
+ A workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
CVE-2021-32761 created at 22 Jul 2021 08:13:07