Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-32625  

An integer overflow bug in Redis versions 6.0 up to 6.2.3 can be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. This is a result of an incomplete fix of CVE-2021-29477.

Source
Severity High

Remote Yes

Type Arbitrary code execution

Description 

An integer overflow bug in Redis versions 6.0 up to 6.2.3 can be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. This is a result of an incomplete fix of CVE-2021-29477.

AVG-2022 redis 6.2.3-1 6.2.4-1 High Fixed 

https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq
https://github.com/redis/redis/pull/9011
https://github.com/redis/redis/pull/9019
https://github.com/redis/redis/commit/e9a1438ac4c52aa68dfa2a8324b6419356842116

Workaround
==========

A workaround to mitigate the problem is to use an ACL configuration to prevent clients from using the STRALGO LCS command.

On systems running Redis version 6.2.3, it is sufficient to make sure that the proto-max-bulk-len config parameter is smaller than 2GB (default is 512MB).

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started