Apache bRPC Redis Protocol Parser Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Redis protocol parser of Apache bRPC, affecting all versions prior to 1.14.1. This vulnerability allows attackers to cause the service to crash by sending specially crafted data packets over the network. The issue arises because the parser allocates memory for arrays or strings based on integers received from the network. If these integers are excessively large, they can lead to a bad allocation error, causing the program to crash. Version 1.14.0 attempted to address this problem by imposing limits on memory allocation, but the implementation was flawed, allowing integer overflow and exploitation of the same vulnerability. This issue is present when bRPC is used as a Redis server for untrusted clients or as a Redis client for untrusted services.

Impact

Exploitation of this vulnerability leads to a crash of the bRPC service, causing a denial-of-service condition.

Remediation

Users can upgrade to Apache bRPC version 1.14.1 or apply the patch available on GitHub. After upgrading, it is important to note that the patch restricts the maximum memory allocation in the Redis parser to 64MB. If Redis requests or responses exceed this size, an error may occur. In such cases, the 'redis_max_allocation_size' gflag can be modified to allow a larger limit.