Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Summary

Redis is used by IBM Robotic Processing Automation for Cloud Pak as part of in memory database processing.

Vulnerability Details

CVEID:CVE-2021-41099
**DESCRIPTION:**Redis is vulnerable to an heap-based buffer overflow, caused by improper bounds checking in the underlying string library. By sending a specially-crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210649 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-32762
**DESCRIPTION:**Redis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow in the redis-cli command line tool and redis-sentinel service. By parsing specially-crafted large multi-bulk network replies, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210729 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-32687
**DESCRIPTION:**Redis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow with intsets. By sending a specially-crafted request using the intsets, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210728 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-32628
**DESCRIPTION:**Redis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow in the handling of large ziplists. By sending a specially-crafted request using the ziplist configuration parameters, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210725 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-32627
**DESCRIPTION:**Redis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow with Streams. By sending a specially-crafted request using the proto-max-bulk-len and client-query-buffer-limit configuration parameters, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210724 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-32675
**DESCRIPTION:**Redis is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted Redis Standard Protocol (RESP) requests, a remote attacker could exploit this vulnerability to allocate significant amount of memory.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210727 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-32672
**DESCRIPTION:**Redis could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the Lua Debugger. By sending specially-crafted requests, an attacker could exploit this vulnerability to read data beyond the actual buffer, and use this information to launch further attacks against the affected system.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210726 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-32626
**DESCRIPTION:**Redis is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. By executing specially-crafted Lua scripts, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210723 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-29477
**DESCRIPTION:**Redis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow in the STRALGO LCS command. By sending a specially crafted request, an attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201176 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-29478
**DESCRIPTION:**Redis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow in COPY command for large intsets. By sending a specially crafted request, an attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201174 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-21309
**DESCRIPTION:**Redis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow. By sending an overly long request, an attacker could overflow a buffer and execute arbitrary code on the system or cause the system to crash.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197573 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Workarounds and Mitigations

None