CVE-2018-11219 — CRITICAL (9.8)

Q: What is CVE-2018-11219?

CVE-2018-11219 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking.

Q: How severe is CVE-2018-11219?

CVE-2018-11219 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2018-11219?

Check the references section above for vendor advisories and patch information. Affected products include: Redislabs Redis, Debian Debian Linux, Oracle Communications Operations Monitor, Redhat Openstack.

Vulnerability Description

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redislabs	Redis	< 3.2.12
Debian	Debian Linux	9.0
Oracle	Communications Operations Monitor	3.4
Redhat	Openstack	10

Related Weaknesses (CWE)

CWE-190

References

http://antirez.com/news/119ExploitThird Party Advisory
http://www.securityfocus.com/bid/104552Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:0052Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0094Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1860
https://github.com/antirez/redis/commit/1eb08bcd4634ae42ec45e8284923ac048beaa4c3PatchThird Party Advisory
https://github.com/antirez/redis/commit/e89086e09a38cc6713bcd4b9c29abf92cf393936PatchThird Party Advisory
https://github.com/antirez/redis/issues/5017Third Party Advisory
https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTESThird Party Advisory
https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTESThird Party Advisory
https://security.gentoo.org/glsa/201908-04
https://www.debian.org/security/2018/dsa-4230Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatchThird Party Advisory
http://antirez.com/news/119ExploitThird Party Advisory
http://www.securityfocus.com/bid/104552Third Party AdvisoryVDB Entry

FAQ

What is CVE-2018-11219?

CVE-2018-11219 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking.

How severe is CVE-2018-11219?

CVE-2018-11219 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-11219?

Check the references section above for vendor advisories and patch information. Affected products include: Redislabs Redis, Debian Debian Linux, Oracle Communications Operations Monitor, Redhat Openstack.