Wind River Support Network


LIN1021-465 : Security Advisory - redis - CVE-2021-32625

Created: Jun 1, 2021    Updated: Sep 25, 2021
Resolved Date: Sep 1, 2021
Found In Version:
Fix Version:
Severity: Standard
Applicable for: Wind River Linux LTS 21
Component/s: Userspace


Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer (on 32-bit systems ONLY) can be exploited using the 'STRALGO LCS' command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix for CVE-2021-29477 which only addresses the problem on 64-bit systems but fails to do that for 32-bit. 64-bit systems are not affected. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the 'redis-server' executable is to use ACL configuration to prevent clients from using the 'STRALGO LCS' command.


Live chat