What happened?
As part of an ongoing effort by the Redis Community and Redis to maintain Redis safety, security, and compliance posture, three security vulnerabilities in Redis have been published recently.
What are the vulnerabilities?
[CVE-2024-31449] Lua library commands may be exploited by an authenticated user to achieve remote code execution. CVSS Score: 7.0 (High)
Redis ships with an embedded version of the Lua engine to support the execution of user scripts. The engine handles these scripts and runs them within the context of the Redis database.
An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution.
Any commands executed by exploiting this vulnerability will be run in the context of the user and group that owns the Redis processes.
[CVE-2024-31228] Denial-of-service due to unbounded pattern matching. CVSS Score: 5.5 (Moderate)
An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash.
[CVE-2024-31227] Denial-of-service due to malformed ACL selectors. CVSS Score: 4.4 (Moderate)
An authenticated user with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service.
How can you protect your Redis instance?
Exposure to these vulnerabilities requires an attacker to gain access to your Redis instance.
There are several steps you can take to protect your Redis from being accessed by a malicious actor. To minimize the risk of exploitation, it’s important to follow these best practices:
- Restrict Network Access: Ensure that only authorized users and systems have access to the Redis database. Use firewalls and network policies to limit access to trusted sources and prevent unauthorized connectivity.
- Enforce Strong Authentication: Enforce the use of credentials for all access to Redis instances. Avoid configurations that allow unauthenticated access, and ensure protected-mode is enabled (in CE and OSS) to prevent accidental exposure.
- Limit Permissions: Ensure that user identities with access to Redis are granted the minimum permissions necessary. Only allow trusted identities to run Lua scripts or any other potentially risky commands.
For more details on how to securely configure, deploy, and use Redis, visit the Community Edition and Enterprise Software documentation sites.
How can I remediate?
We’ve already upgraded our Redis Cloud service with the fixes, so no additional action is required from you.
If you’re self-managing Redis, whether Software or Community versions – Upgrade your Redis.
These new versions of Redis OSS, CE, Stack, and Software include the fix, so you should be good once you upgrade.
Impacted releases | Fixed releases | |
[CVE-2024-31449] Lua library commands may be exploited by an authenticated user to achieve remote code execution. CVSS Score: 7.0 (High) | All Redis Software releases | • 7.4.2-169 and above • 7.2.4-109 and above • 6.4.2-110 and above • 7.4.6 – all builds • 7.6.0 – all builds (non-GA) • 7.8.0 – all builds (non-GA) |
All Redis OSS/CE/Stack releases | OSS/CE: • 7.4.1 • 7.2.6 • 6.2.16 Stack: • 7.4.0-v1 • 7.2.0-v13 • 6.2.6-v17 | |
[CVE-2024-31228] Denial-of-service due to unbounded pattern matching. CVSS Score: 5.5 (Moderate) | All Redis Software releases | • 7.4.2-169 and above • 7.2.4-109 and above • 6.4.2-110 and above • 7.4.6 – all builds • 7.6.0 – all builds (non-GA) • 7.8.0 – all builds (non-GA) |
All Redis OSS/CE/Stack releases | OSS/CE: • 7.4.1 • 7.2.6 • 6.2.16 Stack: • 7.4.0-v1 • 7.2.0-v13 • 6.2.6-v17 | |
[CVE-2024-31227] Denial-of-service due to malformed ACL selectors. CVSS Score: 4.4 (Moderate) | No exposure for Redis Software | N/A |
All Redis OSS/CE/Stack releases 7.0.0 or newer | OSS/CE: • 7.4.1 • 7.2.6 Stack: • 7.4.0-v1 • 7.2.0-v13 |
How can I tell if I was already exposed?
We have no evidence of exploitation of this vulnerability at Redis or in customer environments.
This isn’t a comprehensive guide, but it is a general recommendation you can adapt to your needs and operating environment.
There are a number of technical and behavior indicators or artifacts that may be created if exploitation of the vulnerability occurred. If you search for these within your Redis environment, you should be able to detect potential exploitation related to your Redis instance.
- Access to the Redis database from unauthorized or unknown sources
- Unknown or anomalous network ingress traffic to the Redis database
- Unexplained Redis server crashes, specifically crashes with a stack trace that originates from the Lua engine
- Unknown, unexpected, or anomalous command execution by the redis-server user
- Unknown or anomalous network egress traffic (or attempts) from the Redis database
- Unknown or anomalous changes to the file system, in particular in directories that host Redis persistent or configuration files
Who gets the credit?
We thank the following researchers for being so kind as to identify these vulnerabilities and report them through our published process:
- CVE-2024-31449 reported by nkki-zsyang, Shenzhen Ankki Technologies Co.Ltd
- CVE-2024-31227 reported by Axel Mierczuk
- CVE 2024-31228 reported by tomistripping