Recently, Redis officially released a security notice, disclosing a heap overflow vulnerability (CVE-2022-24834). A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users.
Redis is an open source, network supported, memory based, distributed, and optionally persistent key value pair storage database. If you are an Redis user, check your system and implement timely security hardening.
Reference:
https://github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838
important
(Severity: low, moderate, important, and critical)
Affected versions:
All versions of Redis with Lua scripting support, starting from 2.6
Secure versions:
7.0.12, 6.2.13, 6.0.20
This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
https://github.com/redis/redis/releases
An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.
Get more professional support at any time
Contact Us
