CVE-2018-11218 — CRITICAL (9.8)

Q: What is CVE-2018-11218?

CVE-2018-11218 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.

Q: How severe is CVE-2018-11218?

CVE-2018-11218 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2018-11218?

Check the references section above for vendor advisories and patch information. Affected products include: Redislabs Redis, Debian Debian Linux, Oracle Communications Operations Monitor, Redhat Openstack.

Vulnerability Description

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redislabs	Redis	< 3.2.12
Debian	Debian Linux	9.0
Oracle	Communications Operations Monitor	3.4
Redhat	Openstack	10

Related Weaknesses (CWE)

CWE-787

References

http://antirez.com/news/119ExploitThird Party Advisory
http://www.securityfocus.com/bid/104553Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:0052Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0094Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1860
https://github.com/antirez/redis/commit/52a00201fca331217c3b4b8b634f6a0f57d6b7d3ExploitPatchThird Party Advisory
https://github.com/antirez/redis/commit/5ccb6f7a791bf3490357b00a898885759d98bab0PatchThird Party Advisory
https://github.com/antirez/redis/issues/5017Third Party Advisory
https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTESThird Party Advisory
https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTESThird Party Advisory
https://security.gentoo.org/glsa/201908-04
https://www.debian.org/security/2018/dsa-4230Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatchThird Party Advisory
http://antirez.com/news/119ExploitThird Party Advisory
http://www.securityfocus.com/bid/104553Third Party AdvisoryVDB Entry

FAQ

What is CVE-2018-11218?

CVE-2018-11218 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.

How severe is CVE-2018-11218?

CVE-2018-11218 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-11218?

Check the references section above for vendor advisories and patch information. Affected products include: Redislabs Redis, Debian Debian Linux, Oracle Communications Operations Monitor, Redhat Openstack.