CVE-2022-24921 Regexp.Compile in Go before 1.16.15 and 1.17.x allows stack exhaustion if a deeply nested expression.

An example of this vulnerability can be found in the “/(?=^|\^)foo\bar/” regular expression, which causes the regular expression engine to exhaust all available stack memory when compiling the pattern, if the “gopkg.in/x/redex.v1/redex.v1” package is not installed. Redis clients that consume this dataset and do not set the “redis.conf.set-stack-size” setting to a value smaller than the Redis protocol limits, will experience a remote denial of service. Redis clients that are running with the “redis.conf.set-stack-size” setting set to a value larger than the Redis protocol limits is not affected by this issue. Redis clients that are running with the “redis.conf.set-stack-size” setting set to a value equal to or larger than the Redis protocol limits is not affected by this issue. Redis clients that are running with the “redis.conf.set-stack-size” setting set to a value smaller than the Redis protocol limits is not affected by this issue. Redis clients that are running with the “redis.conf.set-stack-size” setting set to a value equal to or smaller than the Redis protocol limits is not affected by this issue. Redis clients that are running with

Affected Versions

Redis v5.0.0 through v5.2.6, Redis Sentinel v1.2.0 and later

Mitigation

The Redis protocol limits are 8MB by default. On the “Redis configuration” page, users can set a maximum stack size for their connection to Redis. The available algorithm for this setting is “kilo” or “mega”, which is equivalent to 2 or 128 MB.

Timeline

Published on: 03/05/2022 20:15:00 UTC
Last modified on: 08/04/2022 16:15:00 UTC

References