An example of this vulnerability can be found in the “/(?=^|\^)foo\bar/” regular expression, which causes the regular expression engine to exhaust all available stack memory when compiling the pattern, if the “gopkg.in/x/redex.v1/redex.v1” package is not installed. Redis clients that consume this dataset and do not set the “redis.conf.set-stack-size” setting to a value smaller than the Redis protocol limits, will experience a remote denial of service. Redis clients that are running with the “redis.conf.set-stack-size” setting set to a value larger than the Redis protocol limits is not affected by this issue. Redis clients that are running with the “redis.conf.set-stack-size” setting set to a value equal to or larger than the Redis protocol limits is not affected by this issue. Redis clients that are running with the “redis.conf.set-stack-size” setting set to a value smaller than the Redis protocol limits is not affected by this issue. Redis clients that are running with the “redis.conf.set-stack-size” setting set to a value equal to or smaller than the Redis protocol limits is not affected by this issue. Redis clients that are running with
Affected Versions
Redis v5.0.0 through v5.2.6, Redis Sentinel v1.2.0 and later
Mitigation
The Redis protocol limits are 8MB by default. On the “Redis configuration” page, users can set a maximum stack size for their connection to Redis. The available algorithm for this setting is “kilo” or “mega”, which is equivalent to 2 or 128 MB.
Timeline
Published on: 03/05/2022 20:15:00 UTC
Last modified on: 08/04/2022 16:15:00 UTC
References
- https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk
- https://security.netapp.com/advisory/ntap-20220325-0010/
- https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html
- https://security.gentoo.org/glsa/202208-02
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24921