redis-6.2.7-1.el9
エラータID: AXSA:2023-4604:01
リリース日:
2023/01/05 Thursday - 09:53
題名:
redis-6.2.7-1.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Low
Description:
以下項目について対処しました。
[Security Fix]
- Redis には、Lua スクリプト実行環境に問題があるため、Redis
にアクセス可能な低権限の攻撃者により、Lua スクリプトの注入
を介して、高権限の他ユーザーによる Lua コードの実行を可能と
する脆弱性が存在します。(CVE-2022-24735)
- Redis には、NULL ポインタデリファレンスの問題があるため、
ローカルの攻撃者により、巧妙に細工された Lua スクリプトの
ロードを介して、redis-server プロセスのクラッシュを可能とする
脆弱性が存在します。(CVE-2022-24736)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-24735
Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
CVE-2022-24736
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
追加情報:
N/A
ダウンロード:
SRPMS
- redis-6.2.7-1.el9.src.rpm
MD5: 754f24af76059c861595dce996cfbea9
SHA-256: 5ee232d0f2674f1a930ef63d77f2de6f09d2685d22712b8d1ac148e48cbe5a0a
Size: 3.00 MB
Asianux Server 9 for x86_64
- redis-6.2.7-1.el9.x86_64.rpm
MD5: 4690ae132d41989d6dcc009a0b58eb85
SHA-256: 3a79db03dd8f2f097ba79f2c134fffdf7444e1f8b5df853b925978393bf0705a
Size: 1.30 MB - redis-devel-6.2.7-1.el9.x86_64.rpm
MD5: b02d58d83083e7caea661230d92657a3
SHA-256: b04f3bba34b2fad04edd303f0117ed1ebaead0e0315416a1610b82eaecddcb6a
Size: 21.03 kB - redis-doc-6.2.7-1.el9.noarch.rpm
MD5: 9e194d3870190594ea58b4326a652930
SHA-256: 52c964de46a81254008fc19dfec163e3e7b33d1fd49e8ae8480f61d7bcfd8758
Size: 469.12 kB - redis-devel-6.2.7-1.el9.i686.rpm
MD5: 1d646b1939ae8d9d75ebbbd5fb10f6df
SHA-256: 6fab1107d59c3830940467de26342dcb59ed6bb57152a02530e8fc9697168299
Size: 21.05 kB
English