CVE-2021-29478 – CVE-2021-29478 is an integer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-29478?

CVE-2021-29478 has a CVSS score of 7.5 (HIGH). CVE-2021-29478 is an integer overflow vulnerability in Redis 6.2 that could allow attackers to corrupt heap memory and potentially achieve remote code execution. Only Redis versions 6.2.0 through 6.2.2 are affected. Redis 6.0 and earlier versions are not vulnerable to this specific issue.

📋 TL;DR

CVE-2021-29478 is an integer overflow vulnerability in Redis 6.2 that could allow attackers to corrupt heap memory and potentially achieve remote code execution. Only Redis versions 6.2.0 through 6.2.2 are affected. Redis 6.0 and earlier versions are not vulnerable to this specific issue.

💻 Affected Systems

Products:

Redis

Versions: 6.2.0 through 6.2.2

Operating Systems: All operating systems running Redis

Default Config Vulnerable: ✅ No

Notes: Requires ability to modify 'set-max-intset-entries' configuration parameter via CONFIG SET command

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Denial of service through Redis service crash or heap corruption

🟢

If Mitigated

Limited impact with proper ACL restrictions preventing configuration changes

🌐 Internet-Facing: HIGH - Redis often exposed directly to internet with default configurations

🏢 Internal Only: MEDIUM - Still significant risk from internal threats or lateral movement

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to execute CONFIG SET command with specific parameters to trigger integer overflow

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.3

Vendor Advisory: https://github.com/redis/redis/security/advisories/GHSA-qh52-crrg-44g3

Restart Required: Yes

Instructions:

1. Download Redis 6.2.3 or later from redis.io or your package manager. 2. Stop Redis service. 3. Install new version. 4. Restart Redis service. 5. Verify version with 'redis-server --version'

🔧 Temporary Workarounds

ACL Restriction for CONFIG SET

all

Prevent unprivileged users from modifying configuration via ACL rules

redis-cli ACL SETUSER <username> -@all +@read +@connection +@pubsub -CONFIG

🧯 If You Can't Patch

Implement strict ACL rules to prevent users from using CONFIG SET command
Restrict network access to Redis to only trusted sources using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check Redis version with 'redis-server --version' or 'redis-cli INFO server | grep redis_version'

Check Version:

redis-server --version

Verify Fix Applied:

Confirm version is 6.2.3 or later using 'redis-server --version'

📡 Detection & Monitoring

Log Indicators:

CONFIG SET commands with set-max-intset-entries parameter
Redis crash logs or segmentation faults

Network Indicators:

Unusual CONFIG SET commands from untrusted sources

SIEM Query:

source="redis" AND (command="CONFIG" AND args="set-max-intset-entries")

📊 Metadata

CVE ID: CVE-2021-29478

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: May 4, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29478, you might also want to check these: