Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.

The remote host is affected by the vulnerability described in GLSA-202408-05 (Redis: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below     for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the redis package has been released.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5610 advisory.

  - Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis     can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote     code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6,     and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and     6.0.20. (CVE-2022-24834)

  - Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names     from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading     random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead     to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and     authenticated users who were set with ACL rules that match key names, executing a specially crafted     command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.
    (CVE-2023-36824)

  - Redis is an in-memory database that persists on disk. Redis does not correctly identify keys accessed by     `SORT_RO` and as a result may grant users executing this command access to keys that are not explicitly     authorized by the ACL configuration. The problem exists in Redis 7.0 or newer and has been fixed in Redis     7.0.13 and 7.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
    (CVE-2023-41053)

  - Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers     which can result in integer overflow that leads to heap overflow and potential remote code execution. This     issue has been patched in version 7.0.15 and 7.2.4. (CVE-2023-41056)

  - Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket     before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used,     this creates a race condition that enables, during a short period of time, another process to establish an     otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been     addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to     upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a     restrictive umask, or storing the Unix socket file in a protected directory. (CVE-2023-45145)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2925-1 advisory.

  - Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis     can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote     code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6,     and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and     6.0.20. (CVE-2022-24834)

  - Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands     (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis,     causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11,     7.0.9. (CVE-2022-36021)

  - Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted     `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a     runtime assertion and termination of the Redis server process. This problem affects all Redis versions.
    Patches were released in Redis version(s) 6.0.18, 6.2.11 and 7.0.9. (CVE-2023-25155)

  - Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version     7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of     the Redis server process. The problem is fixed in Redis version 7.0.10. (CVE-2023-28425)

  - Redis is an open source, in-memory database that persists on disk. Authenticated users can use the     `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected     versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to     upgrade. There are no known workarounds for this issue. (CVE-2023-28856)

  - Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names     from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading     random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead     to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and     authenticated users who were set with ACL rules that match key names, executing a specially crafted     command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.
    (CVE-2023-36824)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-c406ba1ff6 advisory.

    **Redis 7.0.12** -   Released Mon July 10 12:00:00 IDT 2023

    Upgrade urgency SECURITY: See security fixes below.

    Security Fixes:

    *    (**CVE-2022-24834**) A specially crafted Lua script executing in Redis can trigger         a heap overflow in the cjson and cmsgpack libraries, and result in heap         corruption and potentially remote code execution. The problem exists in all         versions of Redis with Lua scripting support, starting from 2.6, and affects         only authenticated and authorized users.
    *    (**CVE-2023-36824**) Extracting key names from a command and a list of arguments         may, in some cases, trigger a heap overflow and result in reading random heap         memory, heap corruption and potentially remote code execution. Specifically:
        using COMMAND GETKEYS* and validation of key names in ACL rules.

    Bug Fixes

    * Re-enable downscale rehashing while there is a fork child (#12276)
    * Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with `<count>` (#12276)
    * Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
    * Fix WAIT to be effective after a blocked module command being unblocked (#12220)
    * Avoid unnecessary full sync after master restart in a rare case (#12088)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-800612d23a advisory.

    **Redis 7.0.12** -   Released Mon July 10 12:00:00 IDT 2023

    Upgrade urgency SECURITY: See security fixes below.

    Security Fixes:

    *    (**CVE-2022-24834**) A specially crafted Lua script executing in Redis can trigger         a heap overflow in the cjson and cmsgpack libraries, and result in heap         corruption and potentially remote code execution. The problem exists in all         versions of Redis with Lua scripting support, starting from 2.6, and affects         only authenticated and authorized users.
    *    (**CVE-2023-36824**) Extracting key names from a command and a list of arguments         may, in some cases, trigger a heap overflow and result in reading random heap         memory, heap corruption and potentially remote code execution. Specifically:
        using COMMAND GETKEYS* and validation of key names in ACL rules.

    Bug Fixes

    * Re-enable downscale rehashing while there is a fork child (#12276)
    * Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with `<count>` (#12276)
    * Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction (#12276)
    * Fix WAIT to be effective after a blocked module command being unblocked (#12220)
    * Avoid unnecessary full sync after master restart in a rare case (#12088)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 6fae2d6c-1f38-11ee-a475-080027f5fec9 advisory.

  - Redis core team reports:              Extracting key names from a command and a list of     arguments may, in some cases, trigger a heap overflow and             result in reading random heap     memory, heap corruption and             potentially remote code execution. Specifically: using     COMMAND GETKEYS* and validation of key names in ACL rules.            (CVE-2023-36824)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
205117	GLSA-202408-05 : Redis: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
204424	Photon OS 4.0: Redis PHSA-2023-4.0-0427	Nessus	PhotonOS Local Security Checks	high
203583	Photon OS 5.0: Redis PHSA-2023-5.0-0049	Nessus	PhotonOS Local Security Checks	high
189755	Debian dsa-5610 : redis - security update	Nessus	Debian Local Security Checks	high
178690	SUSE SLES15 / openSUSE 15 Security Update : redis7 (SUSE-SU-2023:2925-1)	Nessus	SuSE Local Security Checks	high
178463	Fedora 38 : redis (2023-c406ba1ff6)	Nessus	Fedora Local Security Checks	high
178461	Fedora 37 : redis (2023-800612d23a)	Nessus	Fedora Local Security Checks	high
178109	FreeBSD : redis -- heap overflow in COMMAND GETKEYS and ACL evaluation (6fae2d6c-1f38-11ee-a475-080027f5fec9)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2023-36824

high

Tenable Plugins

high

high

high

high

high

high

high

high