Recently, Redis officially released a security notice, disclosing a Lua Script overflow vulnerability (CVE-2024-31449). An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting.
Redis is an open source, network supported, memory based, distributed, and optionally persistent key value pair storage database. If you are a Redis user, check your system and implement timely security hardening.
Reference:
https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5important
(Severity: low, moderate, important, and critical)
Affected versions:
2.6 ≤ Redis < 6.2.16
7.0.0 ≤ Redis < 7.2.6
7.4.0 ≤ Redis < 7.4.1
(All versions of Redis with Lua scripting support, starting from 2.6)
Secure versions:
6.2.16, 7.2.6, 7.4.1.
This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
https://github.com/redis/redis/releasesAn additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.
Get more professional support at any time
Contact Us
