CVE-2021-29478 : Security Advisory and Response
Learn about CVE-2021-29478, a critical vulnerability in Redis versions >= 6.2.0 and < 6.2.3 that could allow remote code execution. Find mitigation steps and impact details here.
A vulnerability in the COPY command for large intsets in Redis versions >= 6.2.0 and < 6.2.3 could allow remote attackers to execute arbitrary code by exploiting an integer overflow bug. Learn about the impact, technical details, and mitigation steps below.
Understanding CVE-2021-29478
This section provides insight into the vulnerability CVE-2021-29478 in Redis.
What is CVE-2021-29478?
CVE-2021-29478 is a security vulnerability in Redis versions >= 6.2.0 and < 6.2.3 that results from an integer overflow bug in the COPY command for large intsets, potentially leading to remote code execution.
The Impact of CVE-2021-29478
The impact of this vulnerability is rated as HIGH according to the CVSS v3.1 metrics. Attackers with low privileges can use this flaw to compromise confidentiality, integrity, and availability of affected systems.
Technical Details of CVE-2021-29478
Explore the technical aspects of CVE-2021-29478 to better understand the vulnerability.
Vulnerability Description
The vulnerability stems from an integer overflow bug in the COPY command for large intsets in Redis versions >= 6.2.0 and < 6.2.3, allowing attackers to corrupt the heap memory and potentially achieve remote code execution.
Affected Systems and Versions
Redis versions >= 6.2.0 and < 6.2.3 are affected by this vulnerability. Earlier versions such as Redis 6.0 are not directly impacted.
Exploitation Mechanism
Remote attackers can exploit this vulnerability by leveraging the integer overflow bug in the COPY command for large intsets to execute arbitrary code on vulnerable Redis instances.
Mitigation and Prevention
Discover the steps to mitigate and prevent the exploitation of CVE-2021-29478.
Immediate Steps to Take
To address this issue, users are advised to update their Redis installations to version 6.2.3 or apply the provided workaround by restricting unprivileged users from modifying the
set-max-intset-entriesLong-Term Security Practices
Implementing robust security practices, including regular vulnerability assessments, access control, and monitoring, can enhance the overall security posture of Redis deployments.
Patching and Updates
Stay updated with security advisories and promptly apply patches released by Redis to address critical vulnerabilities like CVE-2021-29478.