Skip to content
GitHub no longer supports this web browser. Learn more about the browsers we support.
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redis security vulnerabilities in HyperLogLog and a DoS fixed. #6215

Open
antirez opened this issue Jul 8, 2019 · 2 comments
Open

Redis security vulnerabilities in HyperLogLog and a DoS fixed. #6215

antirez opened this issue Jul 8, 2019 · 2 comments

Comments

@antirez
Copy link
Owner

@antirez antirez commented Jul 8, 2019

Hi all,

15th of March 2019 I sent a communication, alongside with patches to fix two vulnerabilities in Redis.

  1. The HyperLogLog code implementation had insufficient sanity checks, resulting in a buffer overflow. This was reported by @JohnSully.
  2. Moreover @JohnSully reported a DoS: Redis could be crashed in case it was possible to call REPLICAOF in the wrong context. This is less a problem because normally cloud providers do not expose the REPLICAOF command.

A few hours later:

  1. Auditing the same code paths I found two more issues in hyperloglog.c, that were also fixed.

I provided the fixes to a number of companies running Redis as a service, in order for them to get the vulnerabilities fixed. Who runs Redis in their own systems is a lot less affected by this issues, if you have trusted clients, they can anyway do a lot of damage (this will change in Redis 6 because of ACLs). So what happened was the following:

  1. 15th of March: I reported the vulnerabilities to a closed list of cloud providers, the Debian Linux distribution maintainers, and other folks that previously helped with Redis security.
  2. 15th of March (later in the day): I did some auditing and found other issues in the hyperloglog file. I updated the patches.
  3. 18th of March: I released Redis 5.0.4, 4.0.14 and 3.2.13, with silent fixes. Actually there was nothing misleading in the commit messages, just security implications were not mentioned.
  4. We gave time to upgrade.
  5. Now 8 July 2019 I'm releasing such statement.

The commits fixing all these issues are the following:

For the HyperLogLog:

  • e216cea HyperLogLog: handle wrong offset in the base case.
  • a4b90be HyperLogLog: enlarge reghisto variable for safety.
  • 9f13b2b Fix hyperloglog corruption

The other vulnerability was a DoS that was fixed here:

  • 5b52bc7 Replicas aren't allowed to run the replicaof command

Hopefully you may already running a fixed Redis because we upgraded all the versions 18th of March, otherwise you may think about upgrading in case your clients are not trusted or for any other reason regarding your security policy.

@lamby

This comment has been minimized.

@carnil

This comment has been minimized.

Copy link

@carnil carnil commented Jul 9, 2019

So the mapping for the two CVEs to the commits seem to be:

Debian Bug: https://bugs.debian.org/931625

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.