Allocation of Resources Without Limits or Throttling Affecting redis-doc package, versions <0:5.0.3-5.module+el8.4.0+20382+7694043a


Severity

Recommended
0.0
high
0
10

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
1.15% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ORACLE8-REDISDOC-2588813
  • published10 Apr 2022
  • disclosed4 Oct 2021

Introduced: 4 Oct 2021

CVE-2021-32675  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade Oracle:8 redis-doc to version 0:5.0.3-5.module+el8.4.0+20382+7694043a or higher.
This issue was patched in ELSA-2021-3918.

NVD Description

Note: Versions mentioned in the description apply only to the upstream redis-doc package and not the redis-doc package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.

References

CVSS Scores

version 3.1