Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM4C0459B472980677A40E3CF155DE2A1EFC62E3D683BAE8F564C49FDED9424F02
HistoryDec 21, 2021 - 5:42 p.m.

Security Bulletin: Multiple vulnerabilities in Redis affecting the IBM Event Streams UI

2021-12-2117:42:58
www.ibm.com
21
redis
ibm event streams
ui
buffer overflow
integer overflow
remote attack
arbitrary code
sensitive information

EPSS

0.023

Percentile

89.9%

JSON

Summary

Multiple vulnerabilities are exposed in the Redis implementation used as the in memory database for the Event Streams UI.

Vulnerability Details

CVEID:CVE-2021-32626
**DESCRIPTION:**Redis is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. By executing specially-crafted Lua scripts, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210723 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-32628
**DESCRIPTION:**Redis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow in the handling of large ziplists. By sending a specially-crafted request using the ziplist configuration parameters, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210725 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-32627
**DESCRIPTION:**Redis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow with Streams. By sending a specially-crafted request using the proto-max-bulk-len and client-query-buffer-limit configuration parameters, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210724 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-41099
**DESCRIPTION:**Redis is vulnerable to an heap-based buffer overflow, caused by improper bounds checking in the underlying string library. By sending a specially-crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210649 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-32672
**DESCRIPTION:**Redis could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the Lua Debugger. By sending specially-crafted requests, an attacker could exploit this vulnerability to read data beyond the actual buffer, and use this information to launch further attacks against the affected system.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210726 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-32687
**DESCRIPTION:**Redis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow with intsets. By sending a specially-crafted request using the intsets, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210728 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-32675
**DESCRIPTION:**Redis is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted Redis Standard Protocol (RESP) requests, a remote attacker could exploit this vulnerability to allocate significant amount of memory.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210727 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Event Streams 2019.4.1, 2019.4.2, 2019.4.3, 2019.4.4
IBM Event Streams 10.0.0, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.4.0

Remediation/Fixes

IBM Event Streams (Helm-based releases)

IBM Event Streams (Continuous Delivery)

IBM Event Streams (Extended Update Support)

Workarounds and Mitigations

None

Related

osv 36
almalinux 2
nessus 27
redhat 11
rocky 2
oraclelinux 2
openvas 13
fedora 3
mageia 1
freebsd 1
suse 1
debian 2
ubuntu 1
ibm 6
photon 8
gentoo 1
cbl_mariner 14
debiancve 7
prion 7
redhatcve 7
cve 7
alpinelinux 7
ubuntucve 7
nvd 7
veracode 7
cvelist 7
oracle 1
osv
osv
Important: redis:5 security update
2021-10-19 13:14:11
Important: redis:6 security update
2021-10-20 12:46:40
Important: redis:5 security update
2021-10-19 13:14:11
almalinux
almalinux
Important: redis:6 security update
2021-10-20 12:46:40
Important: redis:5 security update
2021-10-19 13:14:11
nessus
nessus
RHEL 8 : redis:5 (RHSA-2021:3946)
2021-10-21 00:00:00
RHEL 7 : Red Hat OpenStack Platform 10.0 (redis) (RHSA-2021:3971)
2021-10-26 00:00:00
CentOS 8 : redis:5 (CESA-2021:3918)
2021-10-28 00:00:00
redhat
redhat
(RHSA-2021:3944) Important: redis:5 security update
2021-10-20 12:38:31
(RHSA-2021:3946) Important: redis:5 security update
2021-10-20 12:46:50
(RHSA-2021:3980) Important: Red Hat OpenStack Platform 13.0 (redis) security update
2021-10-25 17:48:44
rocky
rocky
redis:5 security update
2021-10-19 13:14:11
redis:6 security update
2021-10-20 12:46:40
oraclelinux
oraclelinux
redis:5 security update
2021-10-19 00:00:00
redis:6 security update
2021-10-20 00:00:00
openvas
openvas
Fedora: Security Advisory for redis (FEDORA-2021-61c487f241)
2021-10-21 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:3772-1)
2021-11-24 00:00:00
Debian: Security Advisory (DSA-5001-1)
2021-11-07 00:00:00
fedora
fedora
[SECURITY] Fedora 33 Update: redis-6.0.16-1.fc33
2021-10-12 23:47:15
[SECURITY] Fedora 35 Update: redis-6.2.6-1.fc35
2021-10-29 23:18:43
[SECURITY] Fedora 34 Update: redis-6.2.6-1.fc34
2021-10-12 23:45:06
mageia
mageia
Updated redis packages fix security vulnerability
2021-10-21 00:28:32
freebsd
freebsd
redis -- multiple vulnerabilities
2021-10-04 00:00:00
suse
suse
Security update for redis (important)
2021-11-23 00:00:00
debian
debian
[SECURITY] [DSA 5001-1] redis security update
2021-11-05 19:30:06
[SECURITY] [DLA 2810-1] redis security update
2021-11-05 11:07:22
ubuntu
ubuntu
Redis vulnerabilities
2022-08-03 00:00:00
ibm
ibm
Security Bulletin: Mutiple Vulnerabilities in Redis affecting Watson Knowledge Catalog for IBM Cloud Pak for Data
2022-06-22 09:58:56
Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak
2022-10-06 04:10:57
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to various attacks due to its use of redis (CVE-2021-32675, CVE-2021-32626, CVE-2021-32672)
2022-06-29 14:12:06
photon
photon
Important Photon OS Security Update - PHSA-2021-3.0-0320
2021-10-28 00:00:00
Moderate Photon OS Security Update - PHSA-2021-0116
2021-10-13 00:00:00
Moderate Photon OS Security Update - PHSA-2021-0443
2021-10-13 00:00:00
gentoo
gentoo
Redis: Multiple Vulnerabilities
2022-09-29 00:00:00
cbl_mariner
cbl_mariner
CVE-2021-32672 affecting package redis for versions less than 6.2.6-1
2022-04-09 06:51:55
CVE-2021-32672 affecting package redis 5.0.5-7
2021-10-22 04:51:42
CVE-2021-32675 affecting package redis 5.0.5-7
2021-10-22 04:51:42
debiancve
debiancve
CVE-2021-32672
2021-10-04 18:15:08
CVE-2021-32687
2021-10-04 18:15:08
CVE-2021-32627
2021-10-04 18:15:08
prion
prion
Design/Logic Flaw
2021-10-04 18:15:00
Integer overflow
2021-10-04 18:15:00
Design/Logic Flaw
2021-10-04 18:15:00
redhatcve
redhatcve
CVE-2021-32628
2021-10-05 18:58:39
CVE-2021-32626
2021-10-05 18:58:38
CVE-2021-32675
2021-10-05 18:49:10
cve
cve
CVE-2021-32687
2021-10-04 18:15:08
CVE-2021-32626
2021-10-04 18:15:08
CVE-2021-32672
2021-10-04 18:15:08
alpinelinux
alpinelinux
CVE-2021-32687
2021-10-04 18:15:08
CVE-2021-32628
2021-10-04 18:15:08
CVE-2021-32675
2021-10-04 18:15:08
ubuntucve
ubuntucve
CVE-2021-32687
2021-10-04 00:00:00
CVE-2021-32626
2021-10-04 00:00:00
CVE-2021-32672
2021-10-04 00:00:00
nvd
nvd
CVE-2021-32675
2021-10-04 18:15:08
CVE-2021-32627
2021-10-04 18:15:08
CVE-2021-32626
2021-10-04 18:15:08
veracode
veracode
Denial Of Service (DoS)
2021-10-05 13:23:45
Remote Code Execution (RCE)
2021-10-05 12:06:07
Remote Code Execution (RCE)
2021-10-05 13:32:20
cvelist
cvelist
CVE-2021-32628 Vulnerability in handling large ziplists
2021-10-04 17:35:11
CVE-2021-32672 Vulnerability in Lua Debugger in Redis
2021-10-04 17:40:10
CVE-2021-32687 Integer overflow issue with intsets in Redis
2021-10-04 17:55:10
oracle
oracle
Oracle Critical Patch Update Advisory - April 2022
2022-04-19 00:00:00

EPSS

0.023

Percentile

89.9%

JSON
Related for 4C0459B472980677A40E3CF155DE2A1EFC62E3D683BAE8F564C49FDED9424F02
osv36almalinux2nessus27redhat11rocky2oraclelinux2openvas13fedora3mageia1freebsd1suse1debian2ubuntu1ibm6photon8gentoo1cbl_mariner14debiancve7prion7redhatcve7cve7alpinelinux7ubuntucve7nvd7veracode7cvelist7oracle1