CVE-2021-32625

NameCVE-2021-32625
DescriptionRedis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer (on 32-bit systems ONLY) can be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix for CVE-2021-29477 which only addresses the problem on 64-bit systems but fails to do that for 32-bit. 64-bit systems are not affected. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the `redis-server` executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs989351

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
redis (PTS)stretch3:3.2.6-3+deb9u3fixed
stretch (security)3:3.2.6-3+deb9u4fixed
buster5:5.0.3-4+deb10u3fixed
buster (security)5:5.0.3-4+deb10u2fixed
bullseye, sid5:6.0.14-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redissourcestretch(not affected)
redissourcebuster(not affected)
redissource(unstable)5:6.0.14-1989351

Notes

[buster] - redis <not-affected> (Vulnerable code not present)
[stretch] - redis <not-affected> (Vulnerable code not present)
https://github.com/redis/redis/pull/9011
https://github.com/redis/redis/commit/1ddecf1958924b178b76a31d989ef1e05af81964
CVE is result of incomplete fix by CVE-2021-29477.

Search for package or bug name: Reporting problems