cbcvebase.
CVE-2021-32761
published 2021-07-21

CVE-2021-32761: Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with…

PriorityP262high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
EPSS
31.05%
98.0th percentile
Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

Affected

22 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianredis< redis 5:6.0.15-1 (bookworm)redis 5:6.0.15-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
msrccbl2_redis_6.2.5-1_on_cbl_mariner_2.0
msrccm1_redis_5.0.14-1_on_cbl_mariner_1.0
redisredis
redisredis
redisredis
redisredis>= 0 < 5:6.0.15-15:6.0.15-1
redisredis>= 0 < 5:6.0.15-15:6.0.15-1
redisredis>= 0 < 5:6.0.15-15:6.0.15-1
redisredis>= 0 < 5:6.0.15-15:6.0.15-1
redisredis>= 0 < 2:2.8.4-2ubuntu0.2+esm22:2.8.4-2ubuntu0.2+esm2
redisredis>= 0 < 2:3.0.6-1ubuntu0.4+esm12:3.0.6-1ubuntu0.4+esm1
redisredis>= 0 < 5:4.0.9-1ubuntu0.2+esm35:4.0.9-1ubuntu0.2+esm3
redisredis>= 0 < 5:5.0.7-2ubuntu0.1+esm15:5.0.7-2ubuntu0.1+esm1
redislabsredis>= 2.2.0 < 5.0.135.0.13
redislabsredis>= 6.0 < 6.0.156.0.15
redislabsredis>= 6.2.0 < 6.2.56.2.5

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered by issuing *BIT* commands (e.g., BITFIELD) on a 32-bit Redis instance after setting `proto-max-bulk-len` to a very large value via CONFIG SET — monitor for CONFIG SET proto-max-bulk-len with abnormally large values followed by BITFIELD/BITCOUNT/BITPOS/BITOP commands.
  • Focus detection on 32-bit Redis deployments or Redis compiled as a 32-bit binary; 64-bit installations are not affected.
  • Monitor Redis ACL logs and CONFIG SET command usage by unprivileged users as an indicator of attempted exploitation setup.
  • Issuing the BITFIELD command on a 32-bit Redis instance may result in integer wrap-around leading to crash or RCE — alert on BITFIELD commands on 32-bit Redis processes.
  • ·Only Redis versions prior to 5.0.13, 6.0.15, and 6.2.5 are vulnerable; patch to these versions to remediate.
  • ·64-bit Redis packages on RHEL 7 and RHEL 8 are NOT affected; scope detection efforts to 32-bit deployments only.
  • ·As a workaround without patching, restrict the `proto-max-bulk-len` config parameter from being modified by unprivileged users via ACL.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.