CVE-2021-41099 – CVE-2021-41099 is an integer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-41099?

CVE-2021-41099 has a CVSS score of 7.5 (HIGH). CVE-2021-41099 is an integer overflow vulnerability in Redis' string library that allows heap corruption when the proto-max-bulk-len configuration is set to a very large value and specially crafted payloads are sent. This can lead to denial of service or remote code execution. All Redis deployments with vulnerable versions are affected if attackers can modify configuration or send malicious commands.

📋 TL;DR

CVE-2021-41099 is an integer overflow vulnerability in Redis' string library that allows heap corruption when the proto-max-bulk-len configuration is set to a very large value and specially crafted payloads are sent. This can lead to denial of service or remote code execution. All Redis deployments with vulnerable versions are affected if attackers can modify configuration or send malicious commands.

💻 Affected Systems

Products:

Redis

Versions: Redis versions before 6.2.6, 6.0.16, and 5.0.14

Operating Systems: All operating systems running vulnerable Redis versions

Default Config Vulnerable: ✅ No

Notes: Requires changing proto-max-bulk-len configuration to a very large value (not default). Attackers need ability to modify configuration or send specially crafted commands.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attacker to execute arbitrary code on the Redis server.

🟠

Likely Case

Denial of service through heap corruption causing Redis crashes and service disruption.

🟢

If Mitigated

No impact if proper ACL restrictions prevent configuration changes and patched versions are used.

🌐 Internet-Facing: HIGH - Internet-facing Redis instances are directly exposed to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal Redis instances are still vulnerable to authenticated attackers or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to modify Redis configuration (CONFIG SET) or send specially crafted commands. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Redis 6.2.6, 6.0.16, or 5.0.14

Vendor Advisory: https://github.com/redis/redis/security/advisories/GHSA-j3cr-9h5g-6cph

Restart Required: Yes

Instructions:

1. Stop Redis service. 2. Backup data and configuration. 3. Upgrade to Redis 6.2.6, 6.0.16, or 5.0.14 using package manager or source compilation. 4. Restart Redis service. 5. Verify version and functionality.

🔧 Temporary Workarounds

ACL Restriction for CONFIG SET

all

Prevent unprivileged users from modifying proto-max-bulk-len configuration using Redis ACL.

ACL SETUSER <username> -@all +ping +info +get +set +... (exclude +config)

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit Redis access to trusted sources only.
Use Redis ACL to restrict all users from using CONFIG SET command and monitor for configuration change attempts.

🔍 How to Verify

Check if Vulnerable:

Check Redis version and if proto-max-bulk-len has been modified to large values. Run: redis-cli INFO | grep -E 'redis_version|proto-max-bulk-len'

Check Version:

redis-cli INFO | grep redis_version

Verify Fix Applied:

Confirm Redis version is 6.2.6, 6.0.16, 5.0.14 or later. Run: redis-cli INFO | grep redis_version

📡 Detection & Monitoring

Log Indicators:

CONFIG SET commands modifying proto-max-bulk-len
Redis crashes or abnormal termination logs
Large bulk string operations in Redis logs

Network Indicators:

Unusual large payloads sent to Redis port 6379
Multiple CONFIG SET attempts from unauthorized sources

SIEM Query:

source="redis.log" AND ("CONFIG SET" OR "proto-max-bulk-len" OR "panic")

📊 Metadata

CVE ID: CVE-2021-41099

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: October 4, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/redis/redis/commit/c6ad876774f3cc11e32681ea02a2eead00f2c521 Patch,Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-j3cr-9h5g-6cph Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17 Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5001 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://github.com/redis/redis/commit/c6ad876774f3cc11e32681ea02a2eead00f2c521 Patch,Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-j3cr-9h5g-6cph Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17 Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-5001 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41099, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Management Services For Element Software And Netapp Hci by Netapp

Redis by Redis

Redis by Redis

Redis by Redis

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

ACL Restriction for CONFIG SET

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities