Redis CVE-2018-11219 Integer Overflow Vulnerability

Bugtraq ID:	104552
Class:	Boundary Condition Error
CVE:	CVE-2018-11219
Remote:	Yes
Local:	No
Published:	Jun 13 2018 12:00AM
Updated:	Apr 17 2019 05:00AM
Credit:	Apple Information Security Team
Vulnerable:	Redis Redis 4.0.9 Redis Redis 3.2.11 Redis Redis 3.2.3 Redis Redis 5.0 RC1 Redis Redis 5.0 Redis Redis 4.0 Redis Redis 3.2.7 Redis Redis 3.0.2 Redis Redis 2.8.21 Oracle Communications Operations Monitor 4.0 Oracle Communications Operations Monitor 3.4
Not Vulnerable:	Redis Redis 4.0.10 Redis Redis 5.0 RC2 Redis Redis 3.2.12

Redis CVE-2018-11219 Integer Overflow Vulnerability

Redis is prone to a remote integer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code in the context of a user running the affected application. Failed exploit attempts may cause a denial-of-service condition, denying service to legitimate users.

Redis versions prior to 3.2.12, 4.x prior to 4.0.10, and 5.x prior to 5.0 RC2 are vulnerable.

Redis CVE-2018-11219 Integer Overflow Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Redis CVE-2018-11219 Integer Overflow Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Redis CVE-2018-11219 Integer Overflow Vulnerability

References:

• Antirez Redis - Homepage (Antirez)
  
• Bug 1590062 CVE-2018-11219 redis: Integer overflow in lua_struct.c:b_unpack() (Redhat)
  
• CVE-2018-11219 (Redhat)
  
• Oracle Critical Patch Update Advisory - April 2019 (Oracle)
  
• Redis Lua scripting: several security vulnerabilities fixed (Antirez)