CVE-2017-15047

Name of the Vulnerable Software and Affected Versions Redis version 4.0.2

Description The issue is related to the clusterLoadConfig function in cluster.c, which allows attackers to cause a denial of service or possibly have other impacts by leveraging limited access to the machine. This is due to an out-of-bounds array index and application crash. The vulnerability is caused by a buffer overflow in memory resulting from the lack of validation of migrating slots to and migrating slots from values set in the configuration file. An attacker, acting remotely, can exploit this vulnerability to cause a denial of service or other unspecified effects.

Recommendations For Redis version 4.0.2, consider disabling the clusterLoadConfig function as a temporary workaround until a patch is available. Restrict access to the cluster.c module to minimize the risk of exploitation. Avoid using the migrating slots to and migrating slots from parameters in the configuration file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.