{ "threat_severity" : "Important", "public_date" : "2019-06-19T00:00:00Z", "bugzilla" : { "description" : "redis: Heap buffer overflow in HyperLogLog triggered by malicious client", "id" : "1723918", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1723918" }, "cvss3" : { "cvss3_base_score" : "7.2", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-122", "details" : [ "A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By carefully corrupting a hyperloglog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer.", "A heap buffer overflow vulnerability was found in the Redis HyperLogLog data structure. By carefully corrupting a HyperLogLog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding into writing up to 3 bytes beyond the end of a heap-allocated buffer." ], "statement" : "* This issue did not affect the version of grafana(embeds redis) as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 as it only ships client side part of redis implementation.\n* This issue did not affect the version of heketi(embeds redis) as shipped with Red Hat Gluster Storage 3 as it only ships client side part of redis implementation.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-08-07T00:00:00Z", "advisory" : "RHSA-2019:2002", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "redis:5-8000020190711140130.f8e95b4e" }, { "product_name" : "Red Hat OpenStack Platform 10.0 (Newton)", "release_date" : "2019-09-04T00:00:00Z", "advisory" : "RHSA-2019:2630", "cpe" : "cpe:/a:redhat:openstack:10::el7", "package" : "redis-0:3.0.6-5.el7ost" }, { "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)", "release_date" : "2019-09-04T00:00:00Z", "advisory" : "RHSA-2019:2628", "cpe" : "cpe:/a:redhat:openstack:13::el7", "package" : "redis-0:3.2.8-4.el7ost" }, { "product_name" : "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date" : "2019-09-04T00:00:00Z", "advisory" : "RHSA-2019:2621", "cpe" : "cpe:/a:redhat:openstack:14::el7", "package" : "redis-0:3.2.8-4.el7ost" }, { "product_name" : "Red Hat OpenStack Platform 9.0 (Mitaka)", "release_date" : "2019-08-15T00:00:00Z", "advisory" : "RHSA-2019:2508", "cpe" : "cpe:/a:redhat:openstack:9::el7", "package" : "redis-0:3.0.6-5.el7ost" }, { "product_name" : "Red Hat OpenStack Platform 9.0 Operational Tools for RHEL 7", "release_date" : "2019-08-15T00:00:00Z", "advisory" : "RHSA-2019:2506", "cpe" : "cpe:/a:redhat:openstack-optools:9::el7", "package" : "redis-0:3.0.6-5.el7ost" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2019-07-25T00:00:00Z", "advisory" : "RHSA-2019:1860", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "rh-redis32-redis-0:3.2.13-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-07-22T00:00:00Z", "advisory" : "RHSA-2019:1819", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-redis5-redis-0:5.0.5-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-07-25T00:00:00Z", "advisory" : "RHSA-2019:1860", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-redis32-redis-0:3.2.13-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2019-07-22T00:00:00Z", "advisory" : "RHSA-2019:1819", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-redis5-redis-0:5.0.5-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2019-07-25T00:00:00Z", "advisory" : "RHSA-2019:1860", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-redis32-redis-0:3.2.13-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-07-22T00:00:00Z", "advisory" : "RHSA-2019:1819", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-redis5-redis-0:5.0.5-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-07-25T00:00:00Z", "advisory" : "RHSA-2019:1860", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-redis32-redis-0:3.2.13-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-07-22T00:00:00Z", "advisory" : "RHSA-2019:1819", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-redis5-redis-0:5.0.5-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-07-25T00:00:00Z", "advisory" : "RHSA-2019:1860", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-redis32-redis-0:3.2.13-1.el7" } ], "package_state" : [ { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "heketi", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10192\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10192\nhttps://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES\nhttps://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES\nhttps://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES" ], "name" : "CVE-2019-10192", "csaw" : false }