CVE-2021-21309 Overview
CVE-2021-21309 is an integer overflow vulnerability affecting 32-bit versions of Redis, the popular open-source in-memory database. This vulnerability exists in Redis version 4.0 and newer, where improper handling of the configurable maximum bulk input size limit can trigger integer overflow scenarios. When exploited, attackers can corrupt the heap and potentially achieve remote code execution on vulnerable systems.
Redis uses a configurable limit for maximum supported bulk input size, defaulting to 512MB—a safe value for all platforms. However, if this limit is significantly increased via the CONFIG SET proto-max-bulk-len command, receiving a large request from a client may trigger multiple integer overflow scenarios, resulting in buffer overflow and heap corruption. By default, authenticated Redis users have access to all configuration parameters, making it possible to modify this safe default and expose the system to attack.
Critical Impact
This vulnerability only affects 32-bit Redis installations (either on 32-bit systems or as 32-bit executables running on 64-bit systems). Successful exploitation can lead to heap corruption and remote code execution, potentially allowing attackers to gain complete control of the affected system.
Affected Products
- Redis versions 4.0 through 5.0.10 (32-bit)
- Redis versions 6.0.0 through 6.0.10 (32-bit)
- Redis versions 6.2-rc1 and 6.2-rc2 (32-bit)
Discovery Timeline
- 2021-02-26 - CVE CVE-2021-21309 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21309
Vulnerability Analysis
The vulnerability stems from an integer overflow condition in the bulk input size handling mechanism within 32-bit Redis builds. Redis allows administrators to configure the maximum size of bulk inputs through the proto-max-bulk-len configuration parameter. While the default value of 512MB is designed to be safe, authenticated users with configuration privileges can increase this value significantly.
On 32-bit systems, the size calculations for large bulk inputs can overflow the 32-bit integer boundaries. When an attacker sends a specially crafted large request after manipulating the bulk size limit, the integer overflow corrupts internal size calculations, leading to undersized buffer allocations. Subsequent data writes then overflow these buffers, corrupting the heap structure and potentially overwriting critical memory regions including function pointers.
Root Cause
The root cause is classified as CWE-190 (Integer Overflow or Wraparound). The vulnerability occurs because Redis does not adequately validate size calculations on 32-bit architectures when processing bulk input data that exceeds safe computational boundaries. The arithmetic operations on size variables can wrap around to small or negative values when dealing with inputs larger than what 32-bit integers can safely represent, leading to memory corruption.
Attack Vector
The attack requires network access to a Redis instance and valid authentication credentials. Once authenticated, an attacker exploits this vulnerability through the following sequence:
- Connect to the vulnerable 32-bit Redis instance with valid credentials
- Use CONFIG SET proto-max-bulk-len to increase the maximum bulk input size beyond safe limits
- Send a specially crafted oversized request that triggers integer overflow during size calculations
- The resulting buffer overflow corrupts heap memory, which can be leveraged for arbitrary code execution
The network-based attack vector with low complexity makes this vulnerability particularly dangerous for exposed Redis instances where authenticated users may be malicious or compromised.
Detection Methods for CVE-2021-21309
Indicators of Compromise
- Unexpected CONFIG SET proto-max-bulk-len commands in Redis logs with abnormally large values
- Redis process crashes or restarts associated with heap corruption errors
- Anomalous large bulk data transfers to Redis instances
- Unusual memory consumption patterns in 32-bit Redis processes
Detection Strategies
- Monitor Redis command logs for CONFIG SET proto-max-bulk-len commands, especially those setting values significantly above the default 512MB
- Implement intrusion detection rules to alert on oversized Redis protocol messages
- Deploy memory integrity monitoring tools to detect heap corruption indicators
- Use Redis slow log analysis to identify unusual bulk operations
Monitoring Recommendations
- Enable Redis logging and audit all CONFIG commands for unauthorized modifications
- Implement network traffic analysis to detect anomalous data volumes to Redis ports (default 6379)
- Set up alerts for Redis process crashes or unexpected restarts
- Monitor system memory usage for 32-bit Redis processes to detect potential exploitation attempts
How to Mitigate CVE-2021-21309
Immediate Actions Required
- Identify all 32-bit Redis installations in your environment running version 4.0 or newer
- Upgrade affected Redis instances to version 6.2, 6.0.11, or 5.0.11 immediately
- If immediate patching is not possible, implement the workarounds described below
- Audit authentication credentials and limit access to trusted users only
Patch Information
Redis has released security patches that address this integer overflow vulnerability. The fix is included in Redis version 6.2 and has been backported to versions 6.0.11 and 5.0.11. Organizations running 32-bit Redis should upgrade to one of these patched versions immediately.
For additional technical details, refer to the GitHub Security Advisory, GitHub Redis Pull Request #8522, and the security fix commit c992857618db99776917f10bf4f2345a5fdc78b0.
Workarounds
- For Redis 6.0 or newer: Use ACL configuration to block the CONFIG SET command for non-administrative users
- For older Redis versions: Use the rename-command directive to rename CONFIG to a random string, making it inaccessible to regular users
- Consider migrating to 64-bit Redis builds where this vulnerability does not apply
- Implement network segmentation to restrict Redis access to trusted internal networks only
# Redis configuration workaround for older versions
# Add to redis.conf to rename CONFIG command
rename-command CONFIG "RANDOMSTRING_a8d7f3e2b1c4"
# For Redis 6.0+ using ACL (in redis.conf or via ACL LOAD)
# Create restricted user without CONFIG access
user restricted-user on >password ~* +@all -CONFIG
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
