CVE-2021-32628 Overview
CVE-2021-32628 is an integer overflow vulnerability affecting the ziplist data structure in Redis, an open source in-memory database that persists on disk. This vulnerability can be exploited to corrupt the heap and potentially result in remote code execution. The flaw affects all versions of Redis prior to the security patches and requires an attacker to modify ziplist configuration parameters to very large values before constructing specially crafted commands to create oversized ziplists.
Critical Impact
Successful exploitation of this integer overflow vulnerability can lead to heap corruption and remote code execution, allowing attackers to gain control of affected Redis instances and potentially compromise the underlying system.
Affected Products
- Redis (versions prior to 6.2.6, 6.0.16, and 5.0.14)
- Fedora 33, 34, and 35
- Debian Linux 10.0 and 11.0
- NetApp Management Services for Element Software
- NetApp Management Services for NetApp HCI
- Oracle Communications Operations Monitor 4.3, 4.4, and 5.0
Discovery Timeline
- 2021-10-04 - CVE-2021-32628 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-32628
Vulnerability Analysis
The vulnerability resides in how Redis handles integer calculations within the ziplist data structure. Ziplists are a compact, memory-efficient encoding used by Redis for storing small lists, sets, and hashes. The integer overflow occurs when specific ziplist configuration parameters are set to extremely large values, causing size calculations to wrap around and produce incorrect results.
The exploitation requires modifying the following configuration parameters to very large values:
- hash-max-ziplist-entries
- hash-max-ziplist-value
- zset-max-ziplist-entries
- zset-max-ziplist-value
Once these parameters are manipulated, an attacker can construct specially crafted commands that create ziplists exceeding expected boundaries. The integer overflow during size calculations leads to undersized memory allocations, which subsequently causes heap corruption when data is written beyond allocated buffer boundaries.
Root Cause
The root cause is an integer overflow bug (CWE-190) in the ziplist and listpack encoding functions. When calculating buffer sizes for large ziplist structures, the code fails to properly handle integer overflow conditions. This results in truncated size values, causing the allocation of insufficiently sized memory buffers. The vulnerability specifically manifests when processing string encodings where size calculations can overflow due to improper type handling.
Attack Vector
The attack is network-based and requires authenticated access to a Redis instance with permissions to modify configuration parameters. An attacker must:
- Gain authenticated access to the Redis server
- Use CONFIG SET to modify ziplist configuration parameters to very large values
- Issue specially crafted commands that trigger ziplist creation with malicious data
- The integer overflow causes heap corruption during the ziplist encoding process
- Achieve remote code execution through heap manipulation techniques
The following patch demonstrates the security fix applied to address the integer overflow in src/listpack.c:
} else {
if (size < 64) *enclen = 1+size;
else if (size < 4096) *enclen = 2+size;
- else *enclen = 5+size;
+ else *enclen = 5+(uint64_t)size;
return LP_ENCODING_STRING;
}
}
Source: Redis Security Commit
The fix casts size to uint64_t before performing the addition, preventing integer overflow when handling large string encodings.
Additionally, in src/geo.c, the patch introduces tracking for total element length:
robj *zobj;
zset *zs;
int i;
- size_t maxelelen = 0;
+ size_t maxelelen = 0, totelelen = 0;
if (returned_items) {
zobj = createZsetObject();
Source: Redis Security Commit
Detection Methods for CVE-2021-32628
Indicators of Compromise
- Unusual CONFIG SET commands modifying hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries, or zset-max-ziplist-value parameters to extremely large values
- Redis server crashes or unexpected restarts potentially indicating exploitation attempts
- Anomalous memory consumption patterns in Redis processes
- Evidence of unauthorized configuration changes in Redis logs
Detection Strategies
- Monitor Redis command logs for suspicious CONFIG SET operations targeting ziplist parameters
- Implement alerting on Redis server crashes or segmentation faults that may indicate heap corruption
- Deploy memory integrity monitoring tools to detect heap corruption attempts
- Review Redis ACL configurations to identify unauthorized privilege escalation
Monitoring Recommendations
- Enable Redis slow log and command logging to capture configuration modification attempts
- Configure system-level monitoring for Redis process stability and memory anomalies
- Implement network traffic analysis to detect unusual command patterns against Redis instances
- Set up automated alerts for any modifications to critical ziplist configuration parameters
How to Mitigate CVE-2021-32628
Immediate Actions Required
- Upgrade Redis to patched versions: 6.2.6, 6.0.16, or 5.0.14 immediately
- Review and restrict Redis network exposure using firewalls and network segmentation
- Implement Redis ACL to restrict unprivileged users from executing CONFIG SET commands
- Audit all Redis instances in your environment for vulnerable versions
Patch Information
Redis has released security patches in versions 6.2.6, 6.0.16, and 5.0.14 that address this integer overflow vulnerability. The fix involves proper type casting during size calculations to prevent integer overflow conditions. Organizations should update to these versions or later immediately.
Relevant security advisories:
- GitHub Security Advisory GHSA-vw22-qm3h-49pr
- Debian Security Advisory DSA-5001
- NetApp Security Advisory NTAP-20211104-0003
- Oracle Security Alert April 2022
Workarounds
- Use Redis ACL to prevent unprivileged users from using the CONFIG SET command
- Restrict the ziplist configuration parameters to safe default values
- Implement network-level access controls to limit Redis access to trusted clients only
- Consider disabling remote CONFIG command access entirely using rename-command CONFIG ""
# Configuration example - Restrict CONFIG command via ACL
# Add to redis.conf or apply via CONFIG SET
user default on >password ~* +@all -CONFIG
# Alternative: Completely disable CONFIG command
rename-command CONFIG ""
# Set reasonable ziplist limits
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
