Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title redis security advisory
Informations
Name RHSA-2016:0096 First vendor Publication 2016-02-01
Vendor RedHat Last vendor Modification 2016-02-01
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated redis packages that fix a security issue are now available for Red Hat Enterprise Linux OpenStack Platform 7.0.

Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 7.0 for RHEL 7 - x86_64

3. Description:

Redis is an advanced key-value store. It is often referred to as a data structure server because keys can contain strings, hashes, lists, sets, or sorted sets.

An integer-wraparound flaw leading to a stack-based overflow was found in Redis. A user with access to run Lua code in a Redis session could possibly use this flaw to crash the server (denial of service) or gain code execution outside of the Lua sandbox. (CVE-2015-8080)

All users of redis are advised to upgrade to these updated packages, which correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1278965 - CVE-2015-8080 redis: Integer wraparound in lua_struct.c causing stack-based buffer overflow

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2016-0096.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-190 Integer Overflow or Wraparound (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 17
Os 2
Os 1
Os 1

Snort® IPS/IDS

Date Description
2016-04-26 Redis lua script integer overflow attempt
RuleID : 38313 - Revision : 2 - Type : SERVER-OTHER
2016-04-26 Redis lua script integer overflow attempt
RuleID : 38312 - Revision : 2 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date Description
2017-02-21 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201702-16.nasl - Type : ACT_GATHER_INFO
2016-06-01 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-663.nasl - Type : ACT_GATHER_INFO
2015-12-04 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3412.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2016-04-21 00:28:37
  • Multiple Updates
2016-04-13 21:29:27
  • Multiple Updates
2016-02-02 00:27:26
  • Multiple Updates
2016-02-02 00:23:31
  • First insertion