Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3885 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3885-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                           Chris Lamb     September 10, 2024                            https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : redis     Version        : 5:6.0.16-1+deb11u3     CVE IDs        : CVE-2023-45145 CVE-2023-28856 CVE-2023-25155 CVE-2022-36021 CVE-2022-24834     Debian Bugs    : 1032279 1034613 1054225

    It was discovered that there were a number of issues in Redis, a popular     key-value database:

     * CVE-2023-45145: On startup, Redis began listening on a Unix        socket before adjusting its permissions to the user-provided        configuration. If a permissive umask(2) was used, this created a        race condition that enabled, during a short period of time,        another process to establish an otherwise unauthorized connection.

     * CVE-2023-28856: Authenticated users could have used the        HINCRBYFLOAT command to create an invalid hash field that would        have crashed the Redis server on access.

     * CVE-2023-25155: Authenticated users issuing specially crafted        SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an        integer overflow, resulting in a runtime assertion and termination        of the Redis server process.

     * CVE-2022-36021: Authenticated users can use string matching        commands (like SCAN or KEYS) with a specially crafted pattern to        trigger a denial-of-service attack on Redis, causing it to hang        and consume 100% CPU time.

     * CVE-2022-24834: A specially-crafted Lua script executing in Redis        could have triggered a heap overflow in the cjson and cmsgpack        libraries and result in heap corruption and potentially remote        code execution.


    For Debian 11 bullseye, these problems have been fixed in version     5:6.0.16-1+deb11u3.

    We recommend that you upgrade your redis packages.

    For the detailed security status of redis please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/redis

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202408-05 (Redis: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below     for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the redis package has been released.

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - redis: heap overflow in the lua cjson and cmsgpack libraries (CVE-2022-24834)

  - redis: crash in sigsegvHandler debug function (CVE-2022-3647)

  - Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted     `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to     allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic. The problem is fixed in     Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for     this vulnerability. (CVE-2022-35977)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - redis: Code injection via Lua script execution environment (CVE-2022-24735)

  - redis: heap overflow in the lua cjson and cmsgpack libraries (CVE-2022-24834)

  - Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-     administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in     2021. Versions before 6.2 were not intended to have safety guarantees related to this. (CVE-2021-31294)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5610 advisory.

  - Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis     can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote     code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6,     and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and     6.0.20. (CVE-2022-24834)

  - Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names     from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading     random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead     to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and     authenticated users who were set with ACL rules that match key names, executing a specially crafted     command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.
    (CVE-2023-36824)

  - Redis is an in-memory database that persists on disk. Redis does not correctly identify keys accessed by     `SORT_RO` and as a result may grant users executing this command access to keys that are not explicitly     authorized by the ACL configuration. The problem exists in Redis 7.0 or newer and has been fixed in Redis     7.0.13 and 7.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
    (CVE-2023-41053)

  - Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers     which can result in integer overflow that leads to heap overflow and potential remote code execution. This     issue has been patched in version 7.0.15 and 7.2.4. (CVE-2023-41056)

  - Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket     before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used,     this creates a race condition that enables, during a short period of time, another process to establish an     otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been     addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to     upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a     restrictive umask, or storing the Unix socket file in a protected directory. (CVE-2023-45145)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6531-1 advisory.

    Seiya Nakata and Yudai Fujiwara discovered that Redis incorrectly handled certain specially crafted Lua     scripts. An attacker could possibly use this issue to cause heap corruption and execute arbitrary code.
    (CVE-2022-24834)

    SeungHyun Lee discovered that Redis incorrectly handled specially crafted commands. An attacker could     possibly use this issue to trigger an integer overflow, which might cause Redis to allocate impossible     amounts of memory, resulting in a denial of service via an application crash. (CVE-2022-35977)

    Tom Levy discovered that Redis incorrectly handled crafted string matching patterns. An attacker could     possibly use this issue to cause Redis to hang, resulting in a denial of service. (CVE-2022-36021)

    Yupeng Yang discovered that Redis incorrectly handled specially crafted commands. An attacker could     possibly use this issue to trigger an integer overflow, resulting in a denial of service via an     application crash. (CVE-2023-25155)

    It was discovered that Redis incorrectly handled a specially crafted command. An attacker could possibly     use this issue to create an invalid hash field, which could potentially cause Redis to crash on future     access. (CVE-2023-28856)

    Alexander Aleksandrovi Klimov discovered that Redis incorrectly listened to a Unix socket before setting     proper permissions. A local attacker could possibly use this issue to connect, bypassing intended     permissions. (CVE-2023-45145)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of redis installed on the remote host is prior to 6.2.13-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2REDIS6-2023-002 advisory.

  - Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis     can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote     code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6,     and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and     6.0.20. (CVE-2022-24834)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3407-1 advisory.

  - Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis     can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote     code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6,     and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and     6.0.20. (CVE-2022-24834)

  - Redis is an open source, in-memory database that persists on disk. Authenticated users can use the     `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected     versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to     upgrade. There are no known workarounds for this issue. (CVE-2023-28856)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-291 advisory.

  - Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis     can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote     code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6,     and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and     6.0.20. (CVE-2022-24834)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2925-1 advisory.

  - Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis     can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote     code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6,     and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and     6.0.20. (CVE-2022-24834)

  - Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands     (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis,     causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11,     7.0.9. (CVE-2022-36021)

  - Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted     `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a     runtime assertion and termination of the Redis server process. This problem affects all Redis versions.
    Patches were released in Redis version(s) 6.0.18, 6.2.11 and 7.0.9. (CVE-2023-25155)

  - Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version     7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of     the Redis server process. The problem is fixed in Redis version 7.0.10. (CVE-2023-28425)

  - Redis is an open source, in-memory database that persists on disk. Authenticated users can use the     `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected     versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to     upgrade. There are no known workarounds for this issue. (CVE-2023-28856)

  - Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names     from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading     random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead     to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and     authenticated users who were set with ACL rules that match key names, executing a specially crafted     command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.
    (CVE-2023-36824)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2023:2924-1 advisory.

  - Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis     can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote     code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6,     and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and     6.0.20. (CVE-2022-24834)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-c406ba1ff6 advisory.

    **Redis 7.0.12** -   Released Mon July 10 12:00:00 IDT 2023

    Upgrade urgency SECURITY: See security fixes below.

    Security Fixes:

    *    (**CVE-2022-24834**) A specially crafted Lua script executing in Redis can trigger         a heap overflow in the cjson and cmsgpack libraries, and result in heap         corruption and potentially remote code execution. The problem exists in all         versions of Redis with Lua scripting support, starting from 2.6, and affects         only authenticated and authorized users.
    *    (**CVE-2023-36824**) Extracting key names from a command and a list of arguments         may, in some cases, trigger a heap overflow and result in reading random heap         memory, heap corruption and potentially remote code execution. Specifically:
        using COMMAND GETKEYS* and validation of key names in ACL rules.

    Bug Fixes

    * Re-enable downscale rehashing while there is a fork child (#12276)
    * Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with `<count>` (#12276)
    * Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
    * Fix WAIT to be effective after a blocked module command being unblocked (#12220)
    * Avoid unnecessary full sync after master restart in a rare case (#12088)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-800612d23a advisory.

    **Redis 7.0.12** -   Released Mon July 10 12:00:00 IDT 2023

    Upgrade urgency SECURITY: See security fixes below.

    Security Fixes:

    *    (**CVE-2022-24834**) A specially crafted Lua script executing in Redis can trigger         a heap overflow in the cjson and cmsgpack libraries, and result in heap         corruption and potentially remote code execution. The problem exists in all         versions of Redis with Lua scripting support, starting from 2.6, and affects         only authenticated and authorized users.
    *    (**CVE-2023-36824**) Extracting key names from a command and a list of arguments         may, in some cases, trigger a heap overflow and result in reading random heap         memory, heap corruption and potentially remote code execution. Specifically:
        using COMMAND GETKEYS* and validation of key names in ACL rules.

    Bug Fixes

    * Re-enable downscale rehashing while there is a fork child (#12276)
    * Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with `<count>` (#12276)
    * Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
    * Fix WAIT to be effective after a blocked module command being unblocked (#12220)
    * Avoid unnecessary full sync after master restart in a rare case (#12088)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 0e254b4a-1f37-11ee-a475-080027f5fec9 advisory.

  - Redis core team reports:               A specially crafted Lua script executing in Redis can     trigger a heap overflow in the cjson and cmsgpack              libraries, and result in heap corruption     and potentially              remote code execution.            (CVE-2022-24834)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
206888	Debian dla-3885 : redis - security update	Nessus	Debian Local Security Checks	high
205117	GLSA-202408-05 : Redis: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
204424	Photon OS 4.0: Redis PHSA-2023-4.0-0427	Nessus	PhotonOS Local Security Checks	high
203583	Photon OS 5.0: Redis PHSA-2023-5.0-0049	Nessus	PhotonOS Local Security Checks	high
202287	RHEL 9 : redis (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
202286	RHEL 8 : redis (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
189755	Debian dsa-5610 : redis - security update	Nessus	Debian Local Security Checks	high
186586	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : Redis vulnerabilities (USN-6531-1)	Nessus	Ubuntu Local Security Checks	high
181950	Amazon Linux 2 : redis (ALASREDIS6-2023-002)	Nessus	Amazon Linux Local Security Checks	high
180150	SUSE SLES15 Security Update : redis (SUSE-SU-2023:3407-1)	Nessus	SuSE Local Security Checks	high
179785	Amazon Linux 2023 : redis6, redis6-devel (ALAS2023-2023-291)	Nessus	Amazon Linux Local Security Checks	high
178690	SUSE SLES15 / openSUSE 15 Security Update : redis7 (SUSE-SU-2023:2925-1)	Nessus	SuSE Local Security Checks	high
178689	SUSE SLES15 / openSUSE 15 Security Update : redis (SUSE-SU-2023:2924-1)	Nessus	SuSE Local Security Checks	high
178463	Fedora 38 : redis (2023-c406ba1ff6)	Nessus	Fedora Local Security Checks	high
178461	Fedora 37 : redis (2023-800612d23a)	Nessus	Fedora Local Security Checks	high
178110	FreeBSD : redis -- Heap overflow in the cjson and cmsgpack libraries (0e254b4a-1f37-11ee-a475-080027f5fec9)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2022-24834

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high