Vulnerability CVE-2021-32672

Vulnerability Name:

CVE-2021-32672 (CCN-210726)

Assigned:

2021-10-04

Published:

2021-10-04

Updated:

2022-10-06

Summary:

Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

3.1 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.7 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-125

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2021-32672

Source: XF
Type: UNKNOWN
redis-cve202132672-info-disc(210726)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/redis/redis/commit/6ac3c0b7abd35f37201ed2d6298ecef4ea1ae1dd

Source: CCN
Type: Redis GIT Repository
Vulnerability in Lua Debugger

Source: CONFIRM
Type: Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxm

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-61c487f241

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-8913c7900c

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-aa94492a09

Source: GENTOO
Type: Third Party Advisory
GLSA-202209-17

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/

Source: DEBIAN
Type: Third Party Advisory
DSA-5001

Source: CCN
Type: IBM Security Bulletin 6523748 (Event Streams)
Multiple vulnerabilities in Redis affecting the IBM Event Streams UI

Source: CCN
Type: IBM Security Bulletin 6597535 (Watson Knowledge Catalog on-prem)
Mutiple Vulnerabilities in Redis affecting Watson Knowledge Catalog for IBM Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6599643 (Cloud Pak for Multicloud Management Monitoring)
IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to various attacks due to its use of redis (CVE-2021-32675, CVE-2021-32626, CVE-2021-32672)

Source: CCN
Type: IBM Security Bulletin 6825987 (Robotic Process Automation)
Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Source: CCN
Type: IBM Security Bulletin 7006571 (Robotic Process Automation for Cloud Pak)
Multiple vulnerabilities in Redis may affect IBM Robotic Process Automation for Cloud Pak

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:redis:redis:*:*:*:*:*:*:*:* (Version >= 6.2.0 and < 6.2.6)

OR cpe:/a:redis:redis:*:*:*:*:*:*:*:* (Version >= 6.0.0 and < 6.0.16)

OR cpe:/a:redis:redis:*:*:*:*:*:*:*:* (Version >= 3.2.0 and < 5.0.14)

Configuration 2:

cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:software_collections:-:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 4:

cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration 5:

cpe:/a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:management_services_for_netapp_hci:-:*:*:*:*:*:*:*

Configuration 6:

cpe:/a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:redislabs:redis:*:*:*:*:*:*:*:*

AND

cpe:/a:ibm:event_streams:2019.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:2019.4.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:2019.4.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8069	P	velocity-1.7-150200.3.7.3 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:8004	P	dom4j-1.6.1-150200.12.6.3 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:3519	P	gv-3.7.4-1.36 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95149	P	redis-6.2.6-150400.1.5 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:113332	P	redis-6.2.6-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:96085	P	Security update for redis (Important)	2021-11-23
oval:org.opensuse.security:def:111795	P	Security update for redis (Important)	2021-11-23
oval:org.opensuse.security:def:102775	P	Security update for redis (Important)	2021-11-23
oval:org.opensuse.security:def:69093	P	Security update for redis (Important)	2021-11-23
oval:org.opensuse.security:def:102222	P	Security update for redis (Important)	2021-11-23
oval:org.opensuse.security:def:109441	P	Security update for redis (Important)	2021-11-23
oval:org.opensuse.security:def:118537	P	Security update for redis (Important)	2021-11-23
oval:org.opensuse.security:def:69158	P	Security update for redis (Important)	2021-11-23
oval:org.opensuse.security:def:1646	P	Security update for redis (Important)	2021-11-23

BACK