Уязвимость CVE-2022-24736: Информация
Описание
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
Важность: MEDIUM (5,5) Вектор: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Исправленные пакеты
Имя пакета | Ветка | Исправлено в версии | Версия в репозитории | Errata ID | № Задания | Состояние |
---|---|---|---|---|---|---|
redis | sisyphus | 6.2.8-alt1 | 7.2.4-alt1.1 | ALT-PU-2023-1049-1 | 313485 | Исправлено |
redis | sisyphus_e2k | 6.2.8-alt1 | 7.2.4-alt1.1 | ALT-PU-2023-2207-1 | - | Исправлено |
redis | sisyphus_riscv64 | 6.2.8-alt1 | 7.2.4-alt0.port | ALT-PU-2023-2211-1 | - | Исправлено |
redis | p10 | 6.2.8-alt1 | 6.2.14-alt1 | ALT-PU-2023-4137-2 | 324230 | Исправлено |
redis | p10_e2k | 6.2.8-alt1 | 6.2.14-alt1 | ALT-PU-2023-4233-1 | - | Исправлено |
redis | c10f1 | 6.2.8-alt1 | 6.2.13-alt1 | ALT-PU-2023-4153-2 | 324231 | Исправлено |
redis | c9f2 | 6.2.8-alt1 | 6.2.13-alt1 | ALT-PU-2023-4109-2 | 324232 | Исправлено |
Ссылки на рекомендации, решения и инструменты
Ссылка | Ресурс |
---|---|
https://github.com/redis/redis/pull/10651 |
|
https://github.com/redis/redis/security/advisories/GHSA-3qpw-7686-5984 |
|
https://github.com/redis/redis/releases/tag/7.0.0 |
|
https://github.com/redis/redis/releases/tag/6.2.7 |
|
https://security.netapp.com/advisory/ntap-20220715-0003/ |
|
N/A |
|
GLSA-202209-17 |
|
FEDORA-2022-6ed1ce2838 | |
FEDORA-2022-a0a4c7eb31 | |
FEDORA-2022-44373f6778 |