SB2019080915 - Gentoo update for Redis
Published: August 9, 2019 Updated: August 25, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Stack-based buffer overflow (CVE-ID: CVE-2018-11218)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to stack-based buffer overflow in the cmsgpack library in the Lua subsystem. A remote unauthenticated attacker can trigger memory corruption and cause the service to crash.
2) Integer overflow (CVE-ID: CVE-2018-11219)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to integer overflow in the struct library in the Lua subsystem. A remote unauthenticated attacker can trigger memory corruption and cause the service to crash.
3) Heap-based buffer overflow (CVE-ID: CVE-2019-10192)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing Redis hyperloglog data structure. A remote attacker can carefully corrupt hyperloglog using the SETRANGE command, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Stack-based buffer overflow (CVE-ID: CVE-2019-10193)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing Redis hyperloglog data structure. A remote attacker can carefully corrupt hyperloglog using the SETRANGE command, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.