Issue Details:
In mid-July 2023, 2 vulnerabilities were identified by the National Vulnerability Database (NVD) for Redis. Immediately Instaclustr became aware of the vulnerabilities we began investigating the impact on our Redis™ Managed Service.
CVE-2022-24834 relates to an issue where, using a specially crafted Lua script, a heap overflow in the cJSON library can be triggered resulting in heap corruption and potentially remote code execution. The CVSS (Common Vulnerability Scoring System) 3.1 score for this vulnerability provided by the NVD (National Vulnerability Database) is 8.8 (HIGH). When considered in the context of the standard security controls implemented by Instaclustr’s Managed Platform, we have assessed the risk as 7.0 (HIGH). The vulnerability affects all versions of Redis from version 2.6, and is resolved with the release of Redis version 7.0.12 and 6.2.13.
CVE-2023-36824 relates to an issue where extracting key names using particular commands may in some cases trigger a heap overflow and result in reading random heap memory, heap corruption, and potentially remote code execution. The CVSS 3.1 score for this vulnerability provided by the NVD is 8.8 (HIGH). When considered in the context of the standard security controls implemented by Instaclustr’s Managed Platform, we have assessed the risk as 7.2 (HIGH). This vulnerability affects all versions of Redis from 7.0 and is resolved in version 7.0.12.
Impact Assessment
Instaclustr performed an investigation into these vulnerabilities and their potential impact on customers of our Managed Redis Service and assessed its severity rating as HIGH on the CVSS 3.1 scale. The findings are listed below:
- The main risk identified is that an authenticated user can cause a heap overflow, which can crash the application or be used to execute arbitrary code.
- Instaclustr’s Managed Redis Service employs firewall access control which limits where the cluster can be accessed from.
- Additionally, as these vulnerabilities require the attacker to be authenticated to exploit them, a user would need to have explicitly been given access to the environment to execute the commands. This measure reduces the likelihood of clusters being exploited by an attacker through this vulnerability.
Mitigation Approaches:
Based on the impacts detailed above, Instaclustr recommends the following actions for our customers:
- We recommend all customers review the access permissions to their Redis clusters to ensure access is restricted to the minimum permissions sets, IP addresses, and trusted clients. You can find information about how to manage Redis users, ACLs, and firewall rules on our website.
- Instaclustr has released Redis versions 7.0.12 and 6.2.13 which contain fixes for these vulnerabilities. These updated versions are now available on the Instaclustr Managed Platform and we recommend that:
- For new clusters, Redis 7.0.12 and Redis 6.2.13 should be used depending on which major version you may be using.
- For existing clusters on older versions, an upgrade should be scheduled by contacting our Support team. Alternatively, our Support team will reach out to you shortly to schedule an upgrade.
- We have marked Redis 7.0.11 and Redis 6.2.12 as Closed and subsequently Retired once customer migration is completed, as per our lifecycle policy.
If you have any further queries regarding this vulnerability and how it relates to Instaclustr services, please contact [email protected].