Vulnerability Description
Redis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not perform an overflow check before calling the calloc() heap allocation function. This issue only impacts systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redis | Redis | >= 5.0.0, < 5.0.14 |
| Debian | Debian Linux | 10.0 |
| Fedoraproject | Fedora | 33 |
| Netapp | Management Services For Element Software | - |
| Netapp | Management Services For Netapp Hci | - |
| Oracle | Communications Operations Monitor | 4.3 |
Related Weaknesses (CWE)
References
- https://github.com/redis/redis/commit/0215324a66af949be39b34be2d55143232c1cb71PatchThird Party Advisory
- https://github.com/redis/redis/security/advisories/GHSA-833w-8v3m-8wwrThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202209-17Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211104-0003/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5001Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://github.com/redis/redis/commit/0215324a66af949be39b34be2d55143232c1cb71PatchThird Party Advisory
- https://github.com/redis/redis/security/advisories/GHSA-833w-8v3m-8wwrThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202209-17Third Party Advisory
FAQ
What is CVE-2021-32762?
CVE-2021-32762 is a vulnerability with a CVSS score of 7.5 (HIGH). Redis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large...
How severe is CVE-2021-32762?
CVE-2021-32762 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32762?
Check the references section above for vendor advisories and patch information. Affected products include: Redis Redis, Debian Debian Linux, Fedoraproject Fedora, Netapp Management Services For Element Software, Netapp Management Services For Netapp Hci.