Описание
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to SCRIPT LOAD and EVAL commands using ACL rules.
A flaw was found in the Redis database when a malformed Lua script can cause a NULL pointer dereference. This flaw allows an attacker to load a crafting script, which results in a crash of the redis-server process.
Меры по смягчению последствий
If Lua scripting is not being used, this vulnerability can be mitigated by preventing access to SCRIPT LOAD and EVAL commands using ACL rules.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat 3scale API Management Platform 2 | redis | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/redisgraph-tls-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-api-rhel8 | Fix deferred | ||
| Red Hat Ansible Automation Platform 1.2 | redis | Affected | ||
| Red Hat Ansible Tower 3 | redis | Affected | ||
| Red Hat Enterprise Linux 8 | redis:5/redis | Fix deferred | ||
| Red Hat Fuse 7 | io.hawt-hawtio-integration | Fix deferred | ||
| Red Hat OpenStack Platform 13 (Queens) | redis | Out of support scope | ||
| Red Hat Software Collections | rh-redis5-redis | Fix deferred | ||
| Red Hat Software Collections | rh-redis6-redis | Fix deferred |
Показывать по
Дополнительная информация
Статус:
3.3 Low
CVSS3
Связанные уязвимости
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
Redis is an in-memory database that persists on disk. Prior to version ...
Уязвимость системы управления базами данных Redis, связанная с ошибками разыменования указателей, позволяющая нарушителю вызвать отказ в обслуживании
3.3 Low
CVSS3