Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

An update of the redis package has been released.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5221-1 advisory.

    It was discovered that Redis incorrectly handled certain specially crafted Lua scripts. A remote attacker     could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2021-32626)

    It was discovered that Redis incorrectly handled some malformed requests when using Redis Lua Debugger. A     remote attacker could possibly use this issue to cause a denial of service or other unspecified impact.
    This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2021-32672)

    It was discovered that Redis incorrectly handled certain Redis Standard Protocol (RESP) requests. A remote     attacker could possibly use this issue to cause a denial of service. (CVE-2021-32675)

    It was discovered that Redis incorrectly handled some configuration parameters with specially crafted     network payloads. A remote attacker could possibly use this issue to cause a denial of service or execute     arbitrary code. Vulnerabilities CVE-2021-32627 and CVE-2021-41099 only affected Ubuntu 18.04 ESM and     Ubuntu 20.04 ESM. (CVE-2021-32627, CVE-2021-32628, CVE-2021-32687, CVE-2021-41099).

    It was discovered that Redis incorrectly handled memory when processing certain input in 32-bit systems. A     remote attacker could possibly use this issue to cause a denial of service or execute arbitrary code. One     vulnerability (CVE-2021-32761) only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 ESM and     another vulnerability (CVE-2021-21309) only affected Ubuntu 18.04 ESM. (CVE-2021-32761, CVE-2021-21309).

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of redis installed on the remote host is prior to 6.2.5-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2REDIS6-2023-005 advisory.

    Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and     integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15,     and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can     potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code     execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to     a very large value and constructing specially crafted commands bit commands. This problem only affects     Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5     contain patches for this issue. An additional workaround to mitigate the problem without patching the     `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration     parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
    (CVE-2021-32761)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202209-17 (Redis: Multiple Vulnerabilities)

  - Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted     Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete     checks for this condition. This can result with heap corruption and potentially remote code execution.
    This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is     fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to     mitigate the problem without patching the redis-server executable is to prevent users from executing Lua     scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. (CVE-2021-32626)

  - Redis is an open source, in-memory database that persists on disk. In affected versions an integer     overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code     execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-     limit configuration parameters to very large values and constructing specially crafted very large stream     elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an     additional workaround to mitigate the problem without patching the redis-server executable is to prevent     users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to     restrict unprivileged users from using the CONFIG SET command. (CVE-2021-32627)

  - Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist     data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result     with remote code execution. The vulnerability involves modifying the default ziplist configuration     parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-     ziplist-value) to a very large value, and then constructing specially crafted commands to create very     large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to     mitigate the problem without patching the redis-server executable is to prevent users from modifying the     above configuration parameters. This can be done using ACL to restrict unprivileged users from using the     CONFIG SET command. (CVE-2021-32628)

  - Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger,     users can send malformed requests that cause the debugger's protocol parser to read data beyond the actual     buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is     fixed in versions 6.2.6, 6.0.16 and 5.0.14. (CVE-2021-32672)

  - Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard     Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the     number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker     delivering specially crafted requests over multiple connections can cause the server to allocate     significant amount of memory. Because the same parsing mechanism is used to handle authentication     requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis     versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the     redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This     can be done in different ways: Using network access control tools like firewalls, iptables, security     groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.
    (CVE-2021-32675)

  - Redis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all     versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents     of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-     intset-entries configuration parameter to a very large value and constructing specially crafted commands     to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional     workaround to mitigate the problem without patching the redis-server executable is to prevent users from     modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict     unprivileged users from using the CONFIG SET command. (CVE-2021-32687)

  - Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and     integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15,     and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can     potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code     execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to     a very large value and constructing specially crafted commands bit commands. This problem only affects     Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5     contain patches for this issue. An additional workaround to mitigate the problem without patching the     `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration     parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
    (CVE-2021-32761)

  - Redis is an open source, in-memory database that persists on disk. The redis-cli command line tool and     redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-     bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not     perform an overflow check before calling the calloc() heap allocation function. This issue only impacts     systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are     therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator     which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14.
    (CVE-2021-32762)

  - Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the     underlying string library can be used to corrupt the heap and potentially result with denial of service or     remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration     parameter to a very large value and constructing specially crafted network payloads or commands. The     problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the     problem without patching the redis-server executable is to prevent users from modifying the proto-max-     bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the     CONFIG SET command. (CVE-2021-41099)

  - Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution     environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that     will execute with the (potentially higher) privileges of another Redis user. The Lua script execution     environment in Redis provides some measures that prevent a script from creating side effects that persist     and can affect the execution of the same, or different script, at a later time. Several weaknesses of     these measures have been publicly known for a long time, but they had no security impact as the Redis     security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis     6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at     a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0     and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable,     if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL     rules. (CVE-2022-24735)

  - Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker     attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result     with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An     additional workaround to mitigate this problem without patching the redis-server executable, if Lua     scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
    (CVE-2022-24736)

  - Redis is an in-memory database that persists on disk. A specially crafted `XAUTOCLAIM` command on a stream     key in a specific state may result with heap overflow, and potentially remote code execution. This problem     affects versions on the 7.x branch prior to 7.0.4. The patch is released in version 7.0.4.
    (CVE-2022-31144)

  - Redis v7.0 was discovered to contain a memory leak via the component streamGetEdgeID. (CVE-2022-33105)

  - Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are     vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM` command on a stream key in a specific state,     with a specially crafted `COUNT` argument may cause an integer overflow, a subsequent heap overflow, and     potentially lead to remote code execution. This has been patched in Redis version 7.0.5. No known     workarounds exist. (CVE-2022-35951)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5001 advisory.

  - Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted     Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete     checks for this condition. This can result with heap corruption and potentially remote code execution.
    This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is     fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to     mitigate the problem without patching the redis-server executable is to prevent users from executing Lua     scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. (CVE-2021-32626)

  - Redis is an open source, in-memory database that persists on disk. In affected versions an integer     overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code     execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-     limit configuration parameters to very large values and constructing specially crafted very large stream     elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an     additional workaround to mitigate the problem without patching the redis-server executable is to prevent     users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to     restrict unprivileged users from using the CONFIG SET command. (CVE-2021-32627)

  - Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist     data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result     with remote code execution. The vulnerability involves modifying the default ziplist configuration     parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-     ziplist-value) to a very large value, and then constructing specially crafted commands to create very     large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to     mitigate the problem without patching the redis-server executable is to prevent users from modifying the     above configuration parameters. This can be done using ACL to restrict unprivileged users from using the     CONFIG SET command. (CVE-2021-32628)

  - Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger,     users can send malformed requests that cause the debugger's protocol parser to read data beyond the actual     buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is     fixed in versions 6.2.6, 6.0.16 and 5.0.14. (CVE-2021-32672)

  - Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard     Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the     number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker     delivering specially crafted requests over multiple connections can cause the server to allocate     significant amount of memory. Because the same parsing mechanism is used to handle authentication     requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis     versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the     redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This     can be done in different ways: Using network access control tools like firewalls, iptables, security     groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.
    (CVE-2021-32675)

  - Redis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all     versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents     of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-     intset-entries configuration parameter to a very large value and constructing specially crafted commands     to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional     workaround to mitigate the problem without patching the redis-server executable is to prevent users from     modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict     unprivileged users from using the CONFIG SET command. (CVE-2021-32687)

  - Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and     integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15,     and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can     potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code     execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to     a very large value and constructing specially crafted commands bit commands. This problem only affects     Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5     contain patches for this issue. An additional workaround to mitigate the problem without patching the     `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration     parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
    (CVE-2021-32761)

  - Redis is an open source, in-memory database that persists on disk. The redis-cli command line tool and     redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-     bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not     perform an overflow check before calling the calloc() heap allocation function. This issue only impacts     systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are     therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator     which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14.
    (CVE-2021-32762)

  - Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the     underlying string library can be used to corrupt the heap and potentially result with denial of service or     remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration     parameter to a very large value and constructing specially crafted network payloads or commands. The     problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the     problem without patching the redis-server executable is to prevent users from modifying the proto-max-     bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the     CONFIG SET command. (CVE-2021-41099)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Huang Zhw reports :

On 32-bit versions, Redis BITFIELD command is vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves constructing specially crafted bit commands which overflow the bit offset.

This problem only affects 32-bit versions of Redis.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2717 advisory.

  - Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and     integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15,     and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can     potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code     execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to     a very large value and constructing specially crafted commands bit commands. This problem only affects     Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5     contain patches for this issue. An additional workaround to mitigate the problem without patching the     `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration     parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
    (CVE-2021-32761)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
203707	Photon OS 3.0: Redis PHSA-2021-3.0-0281	Nessus	PhotonOS Local Security Checks	high
183135	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : Redis vulnerabilities (USN-5221-1)	Nessus	Ubuntu Local Security Checks	high
181982	Amazon Linux 2 : redis (ALASREDIS6-2023-005)	Nessus	Amazon Linux Local Security Checks	high
165541	GLSA-202209-17 : Redis: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
154948	Debian DSA-5001-1 : redis - security update	Nessus	Debian Local Security Checks	high
152790	Photon OS 4.0: Redis PHSA-2021-4.0-0083	Nessus	PhotonOS Local Security Checks	high
152126	FreeBSD : redis -- Integer overflow issues with BITFIELD command on 32-bit systems (c561ce49-eabc-11eb-9c3f-0800270512f4)	Nessus	FreeBSD Local Security Checks	high
152006	Debian DLA-2717-1 : redis - LTS security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2021-32761

high

Tenable Plugins

high

high

high

critical

high

high

high

high