CVE-2021-29477 Overview
Redis is an open source (BSD licensed), in-memory data structure store widely used as a database, cache, and message broker. An integer overflow vulnerability exists in Redis version 6.0 and newer that can be exploited using the STRALGO LCS command. This vulnerability allows an authenticated attacker to corrupt the heap and potentially achieve remote code execution on affected Redis instances.
Critical Impact
Authenticated attackers can exploit this integer overflow to corrupt heap memory, potentially leading to remote code execution on Redis servers running version 6.0 or newer.
Affected Products
- Redislabs Redis versions 6.0.x prior to 6.0.13
- Redislabs Redis versions 6.2.x prior to 6.2.3
- Fedoraproject Fedora 33 and 34 (with vulnerable Redis packages)
Discovery Timeline
- May 4, 2021 - CVE-2021-29477 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-29477
Vulnerability Analysis
This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The flaw exists within the STRALGO LCS command implementation in Redis versions 6.0 and newer. When processing specially crafted input, an integer overflow condition occurs during length calculations, leading to incorrect memory allocation sizes and subsequent heap corruption.
The STRALGO LCS command implements the Longest Common Subsequence algorithm for string comparison. During the computation, integer values representing string lengths and buffer sizes are processed without adequate bounds checking. An attacker who has authenticated access to the Redis server can craft malicious input that triggers the integer overflow, causing the server to allocate an unexpectedly small buffer while writing a larger amount of data to it.
Root Cause
The root cause of this vulnerability is insufficient validation of integer arithmetic operations in the STRALGO LCS command handler. When calculating buffer sizes for the LCS algorithm, the code performs arithmetic operations on user-controlled length values without checking for overflow conditions. This allows an authenticated user to supply input that causes the multiplication or addition of length values to wrap around, resulting in a small allocation that is subsequently overwritten with more data than it can hold.
Attack Vector
The attack requires network access and authenticated low-privilege access to the Redis server. An attacker must be able to issue commands to the Redis instance, which typically requires either direct access or exploitation of an application that passes user input to Redis commands.
The attack proceeds as follows:
- The attacker establishes an authenticated connection to the vulnerable Redis server
- The attacker crafts a STRALGO LCS command with carefully chosen string parameters designed to trigger the integer overflow
- When Redis processes the command, the integer overflow causes an undersized heap buffer to be allocated
- Subsequent write operations overflow this buffer, corrupting adjacent heap memory
- With careful exploitation, the heap corruption can be leveraged to achieve arbitrary code execution
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2021-29477
Indicators of Compromise
- Unexpected crashes or segmentation faults in Redis server processes
- Anomalous STRALGO LCS commands in Redis command logs with unusually large or malformed string arguments
- Evidence of heap corruption or memory-related errors in Redis logs
- Unexpected child processes spawned by the Redis server process
Detection Strategies
- Monitor Redis command logs for STRALGO LCS commands with suspicious or malformed parameters
- Implement Redis ACL rules to audit or restrict access to the STRALGO LCS command
- Deploy intrusion detection signatures that identify exploitation attempts targeting this specific command
- Use memory corruption detection tools in development and staging environments to identify exploitation attempts
Monitoring Recommendations
- Enable Redis slowlog and monitor for unusual command patterns involving STRALGO
- Configure alerting for Redis process crashes or unexpected restarts
- Implement network-level monitoring for unusual traffic patterns to Redis ports (default 6379)
- Review Redis ACL logs for unauthorized command attempts
How to Mitigate CVE-2021-29477
Immediate Actions Required
- Upgrade Redis to version 6.2.3 or 6.0.13 or later immediately
- If immediate patching is not possible, implement ACL rules to disable the STRALGO LCS command
- Review and restrict network access to Redis instances to trusted hosts only
- Ensure Redis authentication is enabled and uses strong credentials
Patch Information
The vulnerability has been fixed in Redis versions 6.2.3 and 6.0.13. Organizations should upgrade to these versions or later to fully remediate the vulnerability. Patch details and release notes are available through the GitHub Security Advisory. Fedora users should apply the latest security updates as announced in the Fedora Package Announcements. Gentoo users should refer to GLSA 202107-20 for patching guidance.
Workarounds
- Use Redis ACL configuration to prevent clients from executing the STRALGO LCS command
- Restrict Redis access to only trusted internal networks using firewall rules
- Implement application-level filtering to block STRALGO commands if passed through application code
- Consider running Redis in a containerized environment with restricted capabilities as defense-in-depth
# ACL configuration to disable STRALGO LCS command
# Add to redis.conf or apply via CONFIG SET
ACL SETUSER default -stralgo
# Alternative: Create restricted user without STRALGO access
ACL SETUSER appuser on >strongpassword ~* +@all -stralgo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
