Tech Support
Documentation
Login
Contact Us
Multiple Redis Vulnerabilities Addressed in Ubuntu
Rohan Timalsina
March 12, 2024 - TuxCare expert team
Redis is an open-source, in-memory data structure store, often referred to as a key-value store. It is used as a database, cache, and message broker. Redis supports various data structures such as strings, hashes, lists, sets, sorted sets, bitmaps, hyperloglogs, and geospatial indexes, making it extremely versatile. However, like any software, Redis is not immune to vulnerabilities. Recently, several Redis vulnerabilities have been fixed in Debian and Ubuntu systems, posing potential risks to its users.
In this article, we’ll delve into these vulnerabilities, understand their implications, and explore the solutions provided to mitigate them.
Redis Security Vulnerabilities
CVE-2022-24834
Seiya Nakata and Yudai Fujiwara identified an issue where Redis mishandled certain Lua scripts. This flaw could potentially lead to heap corruption and the execution of arbitrary code, opening avenues for malicious actors to exploit Redis systems.
CVE-2022-35977
Discovered by SeungHyun Lee, this vulnerability revolves around Redis mishandling specially crafted commands, triggering an integer overflow. This could result in Redis allocating impossible amounts of memory, leading to denial of service through application crashes.
CVE-2022-36021
Tom Levy uncovered a flaw in Redis related to crafted string matching patterns. Exploiting this vulnerability could cause Redis to hang, thus leading to denial of service.
CVE-2023-25155
Yupeng Yang identified an issue in Redis where specially crafted commands could trigger an integer overflow, resulting in denial of service through application crashes.
CVE-2023-28856
This vulnerability highlights Redis incorrectly handling a specially crafted command. Exploiting this flaw could lead to the creation of an invalid hash field, potentially causing Redis to crash upon future access.
CVE-2023-45145
Alexander Aleksandrovič Klimov found that Redis incorrectly listened to a Unix socket before setting proper permissions. This flaw could allow local attackers to connect, bypassing intended permissions.
Mitigation Measures
To address these vulnerabilities and ensure the system security, the Ubuntu and Debian security team has released security updates for their various supported releases. These updates contain patches that mitigate the identified vulnerabilities; therefore, it is essential to upgrade the Redis package for protection against potential exploitation.
Securing End of Life Ubuntu Systems
These vulnerabilities also affect end of life Ubuntu operating systems, including Ubuntu 14.04, 16.04, and 18.04. These systems will never receive the official security updates unless you go for an Ubuntu Pro subscription. However, it is not the only choice you have to extend the security support.
You can opt for a much more affordable option, TuxCare’s Extended Lifecycle Support, which offers five additional years of vendor-grade security patches to Ubuntu 16.04 and Ubuntu 18.04. That means you can continue receiving security updates for your critical Ubuntu workloads for five years after the EOL date. In the meantime, you can focus on strategizing your migration with peace of mind.
Source: USN-6531-1
