CVE-2021-32762 – This CVE describes an integer overflow vulnerab... (How to Fix)

Q: What is the severity of CVE-2021-32762?

CVE-2021-32762 has a CVSS score of 7.5 (HIGH). This CVE describes an integer overflow vulnerability in Redis' hiredis library that affects redis-cli and redis-sentinel when parsing large multi-bulk network replies. The vulnerability could allow heap memory corruption leading to denial of service or potential remote code execution. Only systems with heap allocators lacking overflow checks are vulnerable, which excludes most modern systems and default redis-sentinel configurations using jemalloc.

📋 TL;DR

This CVE describes an integer overflow vulnerability in Redis' hiredis library that affects redis-cli and redis-sentinel when parsing large multi-bulk network replies. The vulnerability could allow heap memory corruption leading to denial of service or potential remote code execution. Only systems with heap allocators lacking overflow checks are vulnerable, which excludes most modern systems and default redis-sentinel configurations using jemalloc.

💻 Affected Systems

Products:

Redis
redis-cli
redis-sentinel

Versions: Redis versions before 6.2.6, 6.0.16, and 5.0.14

Operating Systems: All operating systems with vulnerable heap allocators

Default Config Vulnerable: ✅ No

Notes: Only vulnerable on systems with heap allocators that don't perform overflow checks. Most modern systems (Linux with glibc, Windows) have protections. Redis-sentinel uses jemalloc by default which is not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if an attacker can trigger the integer overflow and the system uses a vulnerable heap allocator.

🟠

Likely Case

Denial of service through application crash or memory corruption, potentially leading to data loss or service disruption.

🟢

If Mitigated

No impact on systems with modern heap allocators (like glibc with overflow checks) or redis-sentinel using default jemalloc allocator.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted large multi-bulk network replies to vulnerable components. The attacker needs network access to redis-cli or redis-sentinel services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Redis 6.2.6, 6.0.16, or 5.0.14

Vendor Advisory: https://github.com/redis/redis/security/advisories/GHSA-833w-8v3m-8wwr

Restart Required: Yes

Instructions:

1. Identify Redis version using 'redis-server --version'. 2. If version is below patched versions, upgrade to Redis 6.2.6, 6.0.16, or 5.0.14 depending on your major version. 3. Download from https://redis.io/download. 4. Stop Redis services. 5. Install new version. 6. Restart Redis services.

🔧 Temporary Workarounds

Use jemalloc allocator

linux

Ensure redis-sentinel uses jemalloc allocator (default) which is not vulnerable to this issue

redis-sentinel --version | grep 'jemalloc'

Network segmentation

linux

Restrict network access to redis-cli and redis-sentinel services to trusted sources only

iptables -A INPUT -p tcp --dport 6379 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 26379 -s trusted_ip -j ACCEPT

🧯 If You Can't Patch

Restrict network access to redis-cli and redis-sentinel to only trusted internal networks using firewall rules.
Monitor for abnormal memory usage or crashes in Redis services and implement alerting for such events.

🔍 How to Verify

Check if Vulnerable:

Check Redis version: 'redis-server --version' or 'redis-cli --version'. If version is below 6.2.6, 6.0.16, or 5.0.14, the system may be vulnerable depending on heap allocator.

Check Version:

redis-server --version

Verify Fix Applied:

After patching, verify version is 6.2.6 or higher (for 6.2.x), 6.0.16 or higher (for 6.0.x), or 5.0.14 or higher (for 5.0.x) using 'redis-server --version'.

📡 Detection & Monitoring

Log Indicators:

Redis process crashes or abnormal termination
Memory allocation errors in system logs
High memory usage spikes in Redis processes

Network Indicators:

Unusually large network packets sent to Redis ports (6379, 26379)
Multiple connection attempts with malformed Redis protocol

SIEM Query:

source="redis.log" AND ("crash" OR "segmentation fault" OR "out of memory")

📊 Metadata

CVE ID: CVE-2021-32762

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: October 4, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/redis/redis/commit/0215324a66af949be39b34be2d55143232c1cb71 Patch,Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-833w-8v3m-8wwr Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17 Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5001 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://github.com/redis/redis/commit/0215324a66af949be39b34be2d55143232c1cb71 Patch,Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-833w-8v3m-8wwr Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17 Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5001 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32762, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Management Services For Element Software by Netapp

Management Services For Netapp Hci by Netapp

Redis by Redis

Redis by Redis

Redis by Redis

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Use jemalloc allocator

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities