CVE-2021-32625 – CVE-2021-32625 is an integer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-32625?

CVE-2021-32625 has a CVSS score of 7.5 (HIGH). CVE-2021-32625 is an integer overflow vulnerability in Redis versions 6.0+ that allows remote attackers to corrupt heap memory via the STRALGO LCS command. This could lead to remote code execution on affected Redis servers. Organizations running Redis 6.0.0-6.0.13 or 6.2.0-6.2.3 are vulnerable.

📋 TL;DR

CVE-2021-32625 is an integer overflow vulnerability in Redis versions 6.0+ that allows remote attackers to corrupt heap memory via the STRALGO LCS command. This could lead to remote code execution on affected Redis servers. Organizations running Redis 6.0.0-6.0.13 or 6.2.0-6.2.3 are vulnerable.

💻 Affected Systems

Products:

Redis

Versions: 6.0.0 to 6.0.13, 6.2.0 to 6.2.3

Operating Systems: All operating systems running affected Redis versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Redis 6.0 or newer. Redis 5.x and earlier are not vulnerable. 64-bit systems with CVE-2021-29477 fixes (6.2.3 or 6.0.13) require additional configuration to be vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full control of the Redis server, potentially leading to complete system compromise.

🟠

Likely Case

Denial of service through heap corruption and Redis server crashes.

🟢

If Mitigated

No impact if ACL prevents STRALGO LCS usage or if proto-max-bulk-len is properly configured on patched systems.

🌐 Internet-Facing: HIGH - Redis servers exposed to the internet are directly vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted STRALGO LCS commands. The vulnerability is a continuation of CVE-2021-29477 with incomplete fixes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.14 or 6.2.4

Vendor Advisory: https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq

Restart Required: Yes

Instructions:

1. Download Redis 6.0.14 or 6.2.4 from official sources. 2. Stop Redis service. 3. Install the new version. 4. Restart Redis service. 5. Verify version with 'redis-server --version'.

🔧 Temporary Workarounds

ACL Restriction

all

Prevent clients from using the STRALGO LCS command via Redis ACL configuration

redis-cli ACL SETUSER default -STRALGO

Configuration Limitation

all

Set proto-max-bulk-len to less than 2GB on 64-bit systems with CVE-2021-29477 fixes

redis-cli CONFIG SET proto-max-bulk-len 1073741824

🧯 If You Can't Patch

Implement ACL to block STRALGO LCS command usage
Configure proto-max-bulk-len to less than 2GB on systems with CVE-2021-29477 fixes

🔍 How to Verify

Check if Vulnerable:

Check Redis version: if between 6.0.0-6.0.13 or 6.2.0-6.2.3, system is vulnerable.

Check Version:

redis-server --version

Verify Fix Applied:

Verify Redis version is 6.0.14+ or 6.2.4+ and test STRALGO LCS command returns proper error or expected results.

📡 Detection & Monitoring

Log Indicators:

Multiple STRALGO LCS command failures
Redis server crashes or abnormal terminations

Network Indicators:

Unusual volume of STRALGO LCS commands from single source
Large payloads sent to Redis STRALGO command

SIEM Query:

source="redis.log" AND "STRALGO LCS" AND (error OR crash OR exception)

📊 Metadata

CVE ID: CVE-2021-32625

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-680

Published: June 2, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/redis/redis/releases/tag/6.0.14 Release Notes,Third Party Advisory
https://github.com/redis/redis/releases/tag/6.2.4 Release Notes,Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/
https://github.com/redis/redis/releases/tag/6.0.14 Release Notes,Third Party Advisory
https://github.com/redis/redis/releases/tag/6.2.4 Release Notes,Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32625, you might also want to check these: