CVE-2021-29477 in Redis
Summary
by MITRE • 05/04/2021
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/07/2021
The vulnerability CVE-2021-29477 represents a critical integer overflow flaw in Redis versions 6.0 and newer that specifically affects the STRALGO LCS command implementation. This vulnerability exists within Redis's string algorithm functionality where the system processes longest common subsequence operations, creating a scenario where malformed input can trigger arithmetic overflow conditions. The flaw manifests when the system attempts to calculate string similarities using the LCS algorithm, which involves complex mathematical operations that can exceed the maximum representable value for integer data types. This type of vulnerability falls under CWE-191 Integer Underflow/Overflow, specifically manifesting as an integer overflow that can corrupt memory structures.
The technical exploitation of this vulnerability occurs through carefully crafted input parameters that cause the integer arithmetic within the STRALGO LCS command to overflow, leading to heap corruption. When Redis processes these malformed inputs, the overflow condition disrupts the memory layout and can potentially allow attackers to manipulate heap metadata or overwrite critical program structures. The heap corruption creates opportunities for arbitrary code execution as the program attempts to continue execution with corrupted memory references. This vulnerability demonstrates how seemingly benign string comparison operations can become attack vectors when proper input validation and arithmetic overflow protections are absent.
The operational impact of this vulnerability extends beyond simple remote code execution, as it represents a sophisticated attack surface that could be leveraged by threat actors to gain unauthorized access to systems running vulnerable Redis instances. The vulnerability affects organizations that rely on Redis for caching, database operations, and message brokering services, potentially compromising sensitive data stored in memory-based Redis deployments. Attackers could exploit this weakness to execute malicious code on Redis servers, potentially leading to complete system compromise, data exfiltration, or further lateral movement within network environments. The vulnerability's severity is amplified by Redis's widespread adoption across cloud environments, web applications, and microservices architectures where it serves as a critical data store component.
The fix for this vulnerability was implemented in Redis versions 6.2.3 and 6.0.13, which include proper integer overflow protections and enhanced input validation for the STRALGO LCS command. Organizations can also implement access control list (ACL) configurations as a workaround to prevent unauthorized clients from executing the vulnerable command, effectively mitigating the risk without requiring immediate patch deployment. This approach aligns with ATT&CK technique T1078 Valid Accounts, as it restricts command execution through access control mechanisms rather than exploiting the vulnerability itself. System administrators should prioritize patching affected Redis installations and implementing proper ACL policies to prevent exploitation while maintaining operational continuity. The vulnerability highlights the importance of input validation and proper arithmetic overflow protection in memory management systems, particularly in widely deployed open source software components that serve as foundational elements in modern application architectures.