The Redis vulnerabilities CVE-2021-29477 and CVE-2021-29478 impacts Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.0.0 and earlier. The fix is delivered in Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.1.0.
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
IBM Aspera High-Speed Transfer Server | 4.0.0 and earlier |
IBM Aspera High-Speed Transfer Endpoint | 4.0.0 and earlier |
Affected Product(s) | Version(s) |
---|---|
IBM Aspera High-Speed Transfer Server | 4.1.0 |
IBM Aspera High-Speed Transfer Endpoint | 4.1.0 |
CVEID: CVE-2021-29477
DESCRIPTION: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS
command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the STRALGO LCS
command.
CVEID: CVE-2021-29478
DESCRIPTION: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution. Redis 6.0 and earlier are not directly affected by this issue. The problem is fixed in version 6.2.3. An additional workaround to mitigate the problem without patching the redis-server
executable is to prevent users from modifying the set-max-intset-entries
configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET
command.
None