CVE-2021-32627 Overview
CVE-2021-32627 is an integer overflow vulnerability in Redis, the popular open-source in-memory database. This vulnerability allows an attacker to exploit an integer overflow bug that can corrupt the heap and potentially lead to remote code execution. The attack requires manipulating the proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and then constructing specially crafted large stream elements.
Critical Impact
Successful exploitation of this integer overflow vulnerability can lead to heap corruption and potentially enable remote code execution on affected Redis instances.
Affected Products
- Redis versions prior to 6.2.6, 6.0.16, and 5.0.14
- Fedora 33, 34, and 35
- Debian Linux 10.0 and 11.0
- NetApp Management Services for Element Software
- NetApp Management Services for NetApp HCI
- Oracle Communications Operations Monitor 4.3, 4.4, and 5.0
Discovery Timeline
- October 4, 2021 - CVE-2021-32627 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-32627
Vulnerability Analysis
This vulnerability stems from an integer overflow condition (CWE-190) in Redis's handling of stream elements. When an attacker modifies the proto-max-bulk-len and client-query-buffer-limit configuration parameters to extremely large values, the system's integer handling logic fails to properly account for size calculations. This creates a scenario where specially crafted large stream elements can trigger heap corruption through arithmetic overflow in size computations.
The vulnerability affects the core data structure handling in Redis, specifically in the ziplist and listpack implementations. When processing oversized stream elements, the integer overflow causes memory allocation routines to allocate smaller buffers than required, leading to heap-based buffer overflows when data is written to these undersized buffers.
Root Cause
The root cause is an integer overflow in Redis's size calculation logic for stream elements. When computing the encoded length of string data in the listpack implementation, the code failed to cast size values to uint64_t before performing arithmetic operations. This resulted in truncation and overflow when handling very large values, causing subsequent memory corruption.
Attack Vector
The attack requires network access to a Redis instance and low privileges to execute. An attacker must:
- Have the ability to modify Redis configuration parameters (proto-max-bulk-len and client-query-buffer-limit)
- Set these parameters to very large values to enable oversized bulk operations
- Construct and send specially crafted large stream elements that trigger the integer overflow
- Exploit the resulting heap corruption to potentially achieve remote code execution
The attack complexity is high due to the requirement of specific configuration changes and crafted payloads, but successful exploitation can lead to complete system compromise.
// Vulnerable code - integer overflow in size calculation
// Source: https://github.com/redis/redis/commit/f6a40570fa63d5afdd596c78083d754081d80ae3
} else {
if (size < 64) *enclen = 1+size;
else if (size < 4096) *enclen = 2+size;
- else *enclen = 5+size;
+ else *enclen = 5+(uint64_t)size;
return LP_ENCODING_STRING;
}
}
The fix casts size to uint64_t before the addition operation to prevent integer overflow when size is very large.
Detection Methods for CVE-2021-32627
Indicators of Compromise
- Unusual Redis configuration changes to proto-max-bulk-len or client-query-buffer-limit parameters with extremely large values
- Redis server crashes or unexpected restarts indicating potential exploitation attempts
- Abnormal memory usage patterns in Redis processes
- Presence of oversized stream commands in Redis logs or network traffic
Detection Strategies
- Monitor Redis configuration file changes and runtime CONFIG SET commands for suspicious parameter modifications
- Implement network monitoring to detect unusually large Redis protocol messages
- Deploy memory integrity monitoring for Redis server processes to detect heap corruption
- Review Redis ACL configurations to ensure unprivileged users cannot execute CONFIG SET commands
Monitoring Recommendations
- Configure alerting for Redis process crashes or abnormal terminations
- Implement log analysis for CONFIG SET commands modifying proto-max-bulk-len or client-query-buffer-limit
- Monitor Redis memory metrics for sudden spikes or unusual allocation patterns
- Deploy runtime application self-protection (RASP) solutions capable of detecting heap corruption
How to Mitigate CVE-2021-32627
Immediate Actions Required
- Upgrade Redis to patched versions: 6.2.6, 6.0.16, or 5.0.14 immediately
- Restrict access to Redis instances using network segmentation and firewall rules
- Implement Redis ACL to prevent unprivileged users from using the CONFIG SET command
- Review and audit current Redis configuration for unusual parameter values
Patch Information
Redis has released security patches addressing this vulnerability. The fix is available in Redis versions 6.2.6, 6.0.16, and 5.0.14. The patch corrects the integer overflow by ensuring proper type casting in size calculations. For more details, see the GitHub Redis Commit and the GitHub Security Advisory GHSA-f434.
Additional security advisories have been published by downstream distributions including Debian Security Advisory DSA-5001, Fedora Package Announcements, and Oracle CPU April 2022 Alerts.
Workarounds
- Use Redis ACL to restrict unprivileged users from executing the CONFIG SET command
- Manually verify that proto-max-bulk-len is set to safe default values and cannot be modified by untrusted users
- Implement network-level access controls to limit Redis exposure to trusted clients only
- Consider deploying Redis in protected mode with authentication requirements enabled
# Configuration example - Restrict CONFIG SET using Redis ACL
# Add to redis.conf or execute via redis-cli
# Create a restricted user that cannot use CONFIG SET
ACL SETUSER restricted_user on >strongpassword ~* +@all -CONFIG
# Verify ACL is properly configured
ACL LIST
# Ensure protected mode is enabled
CONFIG SET protected-mode yes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
