CVE-2021-32626

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591	Patch Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c	Third Party Advisory
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17	Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5001	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redis:redis::::::::
	cpe:2.3:a:redis:redis::::::::
	cpe:2.3:a:redis:redis::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*
	cpe:2.3:a:netapp:management_services_for_netapp_hci:-:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:oracle:communications_operations_monitor:4.3:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:4.4:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:5.0:::::::*

History

13 May 2022, 17:21

Type	Values Removed	Values Added
CPE	cpe:2.3:a:netapp:hci:-:::::::*	cpe:2.3:a:oracle:communications_operations_monitor:4.4:::::::* cpe:2.3:a:netapp:management_services_for_netapp_hci:-:::::::* cpe:2.3:a:oracle:communications_operations_monitor:5.0:::::::* cpe:2.3:a:oracle:communications_operations_monitor:4.3:::::::*
References	~~(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory

20 Apr 2022, 00:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

28 Nov 2021, 23:14

Type	Values Removed	Values Added
CPE	cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:::::::*	cpe:2.3:a:netapp:management_services_for_element_software:-:::::::* cpe:2.3:a:netapp:hci:-:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:o:debian:debian_linux:11.0:::::::*
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ - Mailing List, Third Party Advisory
References	~~(DEBIAN) https://www.debian.org/security/2021/dsa-5001 -~~	(DEBIAN) https://www.debian.org/security/2021/dsa-5001 - Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20211104-0003/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20211104-0003/ - Third Party Advisory
CWE	~~CWE-122~~

17 Nov 2021, 22:18

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ - (DEBIAN) https://www.debian.org/security/2021/dsa-5001 - (CONFIRM) https://security.netapp.com/advisory/ntap-20211104-0003/ -

10 Nov 2021, 01:17

Type	Values Removed	Values Added
CPE		cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:::::::* cpe:2.3:o:fedoraproject:fedora:35:::::::*
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/', 'name': 'FEDORA-2021-aa94492a09', 'tags': [], 'refsource': 'FEDORA'} ~~{'url': 'https://security.netapp.com/advisory/ntap-20211104-0003/', 'name': 'https://security.netapp.com/advisory/ntap-20211104-0003/', 'tags': [], 'refsource': 'CONFIRM'}~~
References	~~(MLIST) https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E - Mailing List, Third Party Advisory

04 Nov 2021, 09:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20211104-0003/ -

30 Oct 2021, 02:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ -

26 Oct 2021, 01:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E -

13 Oct 2021, 16:04

Type	Values Removed	Values Added
References	~~(CONFIRM) https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c -~~	(CONFIRM) https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ - Mailing List, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ - Mailing List, Third Party Advisory
References	~~(MISC) https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591 -~~	(MISC) https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591 - Patch, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : 6.5 v3 : 8.8
CPE		cpe:2.3:o:fedoraproject:fedora:34:::::::* cpe:2.3:o:fedoraproject:fedora:33:::::::* cpe:2.3:a:redis:redis::::::::

13 Oct 2021, 02:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ -
CWE		CWE-787 CWE-122

04 Oct 2021, 18:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-10-04 18:15

Updated : 2024-02-04 22:08

NVD link : CVE-2021-32626

Mitre link : CVE-2021-32626

CVE.ORG link : CVE-2021-32626

JSON object : View

Products Affected

oracle

communications_operations_monitor

debian

debian_linux

redis

redis

netapp

management_services_for_element_software
management_services_for_netapp_hci

fedoraproject

fedora

CWE

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write

8.8 /10