Impact
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution.
The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it.
The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2).
Patches
The problem is fixed in version 6.2.3.
Redis 6.0 and earlier are not directly affected by this issue but should be upgraded as they are potentially vulnerable to other issues due to lack of RDB and RESTORE payload sanitization, which was introduced in 6.2.0.
Workarounds
An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
For more information
If you have any questions or comments about this advisory:
Impact
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution.
The vulnerability involves changing the default
set-max-intset-entriesconfiguration value, creating a large set key that consists of integer values and using theCOPYcommand to duplicate it.The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through
COPY(which did not exist before 6.2).Patches
The problem is fixed in version 6.2.3.
Redis 6.0 and earlier are not directly affected by this issue but should be upgraded as they are potentially vulnerable to other issues due to lack of RDB and RESTORE payload sanitization, which was introduced in 6.2.0.
Workarounds
An additional workaround to mitigate the problem without patching the
redis-serverexecutable is to prevent users from modifying theset-max-intset-entriesconfiguration parameter. This can be done using ACL to restrict unprivileged users from using theCONFIG SETcommand.For more information
If you have any questions or comments about this advisory: