CVE-2021-32675

Summary

CVE	CVE-2021-32675
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-10-04 18:15:00 UTC
Updated	2023-11-07 03:35:00 UTC
Description	Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Application	Netapp	Hci	-	All	All	All
Application	Netapp	Management Services For Element Software	-	All	All	All
Application	Netapp	Management Services For Netapp Hci	-	All	All	All
Application	Oracle	Communications Operations Monitor	4.3	All	All	All
Application	Oracle	Communications Operations Monitor	4.4	All	All	All
Application	Oracle	Communications Operations Monitor	5.0	All	All	All
Application	Redis	Redis	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 33 Update: redis-6.0.16-1.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Redis: Multiple Vulnerabilities (GLSA 202209-17) — Gentoo security	GENTOO	security.gentoo.org
[SECURITY] Fedora 33 Update: redis-6.0.16-1.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Debian -- Security Information -- DSA-5001-1 redis	DEBIAN	www.debian.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
[SECURITY] Fedora 35 Update: redis-6.2.6-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
DoS vulnerability in Redis · Advisory · redis/redis · GitHub	CONFIRM	github.com
[geode-notifications] 20211013 [GitHub] [geode] jdeppe-pivotal opened a new pull request #6994: GEODE-9676: Limit array and string sizes for unauthenticated Radish connections		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
October 2021 Redis Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[SECURITY] Fedora 35 Update: redis-6.2.6-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Prevent unauthenticated client from easily consuming lots of memory (… · redis/redis@5674b00 · GitHub	MISC	github.com
[SECURITY] Fedora 34 Update: redis-6.2.6-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
FEDORA-2021-61c487f241	FEDORA	lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159435 Oracle Enterprise Linux Security Update for redis:5 (ELSA-2021-3918)
159436 Oracle Enterprise Linux Security Update for redis:6 (ELSA-2021-3945)
178879 Debian Security Update for redis (DSA 5001-1)
178883 Debian Security Update for redis (DLA 2810-1)
183640 Debian Security Update for redis (CVE-2021-32675)
239688 Red Hat Update for redis:5 (RHSA-2021:3918)
239725 Red Hat Update for red hat openstack platform 13.0 (redis) (RHSA-2021:3980)
239726 Red Hat Update for red hat openstack platform 10.0 (redis) (RHSA-2021:3971)
239727 Red Hat Update for rh-redis5-redis (RHSA-2021:3947)
239728 Red Hat Update for redis:5 (RHSA-2021:3946)
239731 Red Hat Update for redis:5 (RHSA-2021:3944)
239733 Red Hat Update for redis:6 (RHSA-2021:3945)
281978 Fedora Security Update for redis (FEDORA-2021-61c487f241)
281979 Fedora Security Update for redis (FEDORA-2021-8913c7900c)
356248 Amazon Linux Security Advisory for redis : ALASREDIS6-2023-007
376213 Redis Server Heap Overflow Vulnerability
500601 Alpine Linux Security Update for redis
501484 Alpine Linux Security Update for redis
501777 Alpine Linux Security Update for redis
504356 Alpine Linux Security Update for redis
710625 Gentoo Linux Redis Multiple Vulnerabilities (GLSA 202209-17)
730745 Redis Server Multiple Vulnerabilities (GHSA-vw22-qm3h-49pr)
751395 OpenSUSE Security Update for redis (openSUSE-SU-2021:3772-1)
900392 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (5968)
900931 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (6848-1)
940139 AlmaLinux Security Update for redis:6 (ALSA-2021:3945)
940141 AlmaLinux Security Update for redis:5 (ALSA-2021:3918)
960683 Rocky Linux Security Update for redis:6 (RLSA-2021:3945)
960717 Rocky Linux Security Update for redis:5 (RLSA-2021:3918)