Impact
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution.
The vulnerability involves changing the default set-max-intset-entries
configuration value, creating a large set key that consists of integer values and using the COPY
command to duplicate it.
The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY
(which did not exist before 6.2).
Patches
The problem is fixed in version 6.2.3.
Redis 6.0 and earlier are not directly affected by this issue but should be upgraded as they are potentially vulnerable to other issues due to lack of RDB and RESTORE payload sanitization, which was introduced in 6.2.0.
Workarounds
An additional workaround to mitigate the problem without patching the redis-server
executable is to prevent users from modifying the set-max-intset-entries
configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET
command.
For more information
If you have any questions or comments about this advisory:
Impact
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution.
The vulnerability involves changing the default
set-max-intset-entries
configuration value, creating a large set key that consists of integer values and using theCOPY
command to duplicate it.The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through
COPY
(which did not exist before 6.2).Patches
The problem is fixed in version 6.2.3.
Redis 6.0 and earlier are not directly affected by this issue but should be upgraded as they are potentially vulnerable to other issues due to lack of RDB and RESTORE payload sanitization, which was introduced in 6.2.0.
Workarounds
An additional workaround to mitigate the problem without patching the
redis-server
executable is to prevent users from modifying theset-max-intset-entries
configuration parameter. This can be done using ACL to restrict unprivileged users from using theCONFIG SET
command.For more information
If you have any questions or comments about this advisory: