CVE-2021-32675 – CVE-2021-32675 is a memory allocation vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-32675?

CVE-2021-32675 has a CVSS score of 7.5 (HIGH). CVE-2021-32675 is a memory allocation vulnerability in Redis where specially crafted RESP protocol requests can cause excessive memory consumption, potentially leading to denial of service. The vulnerability affects Redis servers and can be exploited by unauthenticated users since the same parsing mechanism handles authentication requests.

📋 TL;DR

CVE-2021-32675 is a memory allocation vulnerability in Redis where specially crafted RESP protocol requests can cause excessive memory consumption, potentially leading to denial of service. The vulnerability affects Redis servers and can be exploited by unauthenticated users since the same parsing mechanism handles authentication requests.

💻 Affected Systems

Products:

Redis

Versions: Redis versions before 6.2.6, 6.0.16, and 5.0.14

Operating Systems: All operating systems running vulnerable Redis versions

Default Config Vulnerable: ⚠️ Yes

Notes: All Redis deployments using the default configuration are vulnerable. The vulnerability exists in the RESP protocol parser which is always enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through memory exhaustion, causing Redis to crash or become unresponsive, potentially affecting dependent applications.

🟠

Likely Case

Degraded performance or temporary service disruption due to memory pressure, requiring restart of Redis service.

🟢

If Mitigated

Minimal impact if proper network controls and authentication are in place to limit access to trusted sources only.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation possible, making internet-exposed Redis instances particularly vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised systems, but attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted RESP requests, which is relatively straightforward. Multiple connections may be needed to achieve significant impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Redis 6.2.6, 6.0.16, or 5.0.14

Vendor Advisory: https://github.com/redis/redis/security/advisories/GHSA-f6pw-v9gw-v64p

Restart Required: Yes

Instructions:

1. Stop Redis service. 2. Backup Redis data. 3. Upgrade Redis to version 6.2.6, 6.0.16, or 5.0.14 or later. 4. Restart Redis service. 5. Verify the new version is running.

🔧 Temporary Workarounds

Network Access Control

linux

Block unauthenticated access to Redis using firewall rules to limit connections to trusted sources only.

iptables -A INPUT -p tcp --dport 6379 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

Enable Authentication

all

Require password authentication for all Redis connections to prevent unauthenticated exploitation.

redis-cli CONFIG SET requirepass "strong_password"
redis-cli CONFIG REWRITE

🧯 If You Can't Patch

Implement strict network access controls to limit Redis access to only trusted IP addresses
Enable Redis authentication and use strong, unique passwords for all connections

🔍 How to Verify

Check if Vulnerable:

Check Redis version: redis-cli --version. If version is below 6.2.6, 6.0.16, or 5.0.14, the system is vulnerable.

Check Version:

redis-cli --version

Verify Fix Applied:

After patching, verify Redis version is 6.2.6, 6.0.16, 5.0.14 or later using redis-cli --version

📡 Detection & Monitoring

Log Indicators:

Unusual memory usage spikes in Redis logs
Multiple connection attempts from single or suspicious sources
Authentication failures followed by connection attempts

Network Indicators:

High volume of RESP protocol requests to Redis port (default 6379)
Multiple connections from single IP addresses with unusual request patterns

SIEM Query:

source="redis.log" ("out of memory" OR "Cannot allocate memory" OR "OOM") AND ("connection" OR "client")

📊 Metadata

CVE ID: CVE-2021-32675

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: October 4, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/redis/redis/commit/5674b0057ff2903d43eaff802017eddf37c360f8 Patch,Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-f6pw-v9gw-v64p Third Party Advisory
https://lists.apache.org/thread.html/ra603ff6e04549d7f290f61f9b11e2d2e4dba693b05ff053f4ec6bc47%40%3Cnotifications.geode.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17 Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5001 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://github.com/redis/redis/commit/5674b0057ff2903d43eaff802017eddf37c360f8 Patch,Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-f6pw-v9gw-v64p Third Party Advisory
https://lists.apache.org/thread.html/ra603ff6e04549d7f290f61f9b11e2d2e4dba693b05ff053f4ec6bc47%40%3Cnotifications.geode.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17 Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5001 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32675, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Management Services For Element Software by Netapp

Management Services For Netapp Hci by Netapp

Redis by Redis

Redis by Redis

Redis by Redis

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Access Control

Enable Authentication

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities