redis-6.2.7-1.el9

エラータID: AXSA:2023-4604:01

Release date: 
Thursday, January 5, 2023 - 09:53
Subject: 
redis-6.2.7-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Low
Description: 

Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.

Security Fix(es):

* redis: Code injection via Lua script execution environment (CVE-2022-24735)
* redis: Malformed Lua script can crash Redis (CVE-2022-24736)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.1 Release Notes linked from the References section.

CVE-2022-24735
Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
CVE-2022-24736
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.

Solution: 

Update packages.

CVEs: 
CVE-2022-24735
Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
CVE-2022-24736
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
Additional Info: 

N/A

Download: 

SRPMS
  1. redis-6.2.7-1.el9.src.rpm
    MD5: 754f24af76059c861595dce996cfbea9
    SHA-256: 5ee232d0f2674f1a930ef63d77f2de6f09d2685d22712b8d1ac148e48cbe5a0a
    Size: 3.00 MB

Asianux Server 9 for x86_64
  1. redis-6.2.7-1.el9.x86_64.rpm
    MD5: 4690ae132d41989d6dcc009a0b58eb85
    SHA-256: 3a79db03dd8f2f097ba79f2c134fffdf7444e1f8b5df853b925978393bf0705a
    Size: 1.30 MB
  2. redis-devel-6.2.7-1.el9.x86_64.rpm
    MD5: b02d58d83083e7caea661230d92657a3
    SHA-256: b04f3bba34b2fad04edd303f0117ed1ebaead0e0315416a1610b82eaecddcb6a
    Size: 21.03 kB
  3. redis-doc-6.2.7-1.el9.noarch.rpm
    MD5: 9e194d3870190594ea58b4326a652930
    SHA-256: 52c964de46a81254008fc19dfec163e3e7b33d1fd49e8ae8480f61d7bcfd8758
    Size: 469.12 kB
  4. redis-devel-6.2.7-1.el9.i686.rpm
    MD5: 1d646b1939ae8d9d75ebbbd5fb10f6df
    SHA-256: 6fab1107d59c3830940467de26342dcb59ed6bb57152a02530e8fc9697168299
    Size: 21.05 kB