Vulnerability CVE-2022-24736: Information
Description
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
redis | sisyphus | 6.2.8-alt1 | 7.2.4-alt1.1 | ALT-PU-2023-1049-1 | 313485 | Fixed |
redis | sisyphus_e2k | 6.2.8-alt1 | 7.2.4-alt1.1 | ALT-PU-2023-2207-1 | - | Fixed |
redis | sisyphus_riscv64 | 6.2.8-alt1 | 7.2.4-alt0.port | ALT-PU-2023-2211-1 | - | Fixed |
redis | p10 | 6.2.8-alt1 | 6.2.14-alt1 | ALT-PU-2023-4137-2 | 324230 | Fixed |
redis | p10_e2k | 6.2.8-alt1 | 6.2.14-alt1 | ALT-PU-2023-4233-1 | - | Fixed |
redis | c10f1 | 6.2.8-alt1 | 6.2.13-alt1 | ALT-PU-2023-4153-2 | 324231 | Fixed |
redis | c9f2 | 6.2.8-alt1 | 6.2.13-alt1 | ALT-PU-2023-4109-2 | 324232 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://github.com/redis/redis/pull/10651 |
|
https://github.com/redis/redis/security/advisories/GHSA-3qpw-7686-5984 |
|
https://github.com/redis/redis/releases/tag/7.0.0 |
|
https://github.com/redis/redis/releases/tag/6.2.7 |
|
https://security.netapp.com/advisory/ntap-20220715-0003/ |
|
N/A |
|
GLSA-202209-17 |
|
FEDORA-2022-6ed1ce2838 | |
FEDORA-2022-a0a4c7eb31 | |
FEDORA-2022-44373f6778 |