cbcvebase.
CVE-2016-8339
published 2016-10-28

CVE-2016-8339: A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. An out of bounds write vulnerability exists in…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
14.83%
96.3th percentile
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. An out of bounds write vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write potentially resulting in code execution.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianredis< redis 3:3.2.4-1 (bookworm)redis 3:3.2.4-1 (bookworm)
redisredis
redisredis>= 0 < 3:3.2.4-13:3.2.4-1
redisredis>= 0 < 3:3.2.4-13:3.2.4-1
redisredis>= 0 < 3:3.2.4-13:3.2.4-1
redisredis>= 0 < 3:3.2.4-13:3.2.4-1
redislabsredis
redislabsredis
redislabsredis
redislabsredis

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/antirez/redis/commit/6d9f8e2462fc2c426d48c941edeb78e5df7d2977
commandCONFIG SET client-output-buffer-limit master <args>
snort
Snort Rule: 40301
  • Detect Redis CONFIG SET commands specifying 'master' as the client type in the client-output-buffer-limit option, which is not a valid client class for this option and triggers the OOB write.
  • Monitor Redis traffic for crafted CONFIG SET commands targeting the client-output-buffer-limit option as an indicator of exploitation attempts.
  • ·The vulnerability affects Redis 3.2.x prior to 3.2.4 only; versions at or above 3.2.4 are patched.
  • ·The getClientTypeByName function returns values in the set [-1, 3], but the client_obuf_limits array has a declared size of only 3, making the 'master' client type (index 3) an out-of-bounds write target.
  • ·Snort rule 40301 may be updated; always refer to the FireSIGHT Management Center or Snort.org for the most current rule version.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.06.6MEDIUMCVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.