Redis was affected by CVE-2024-51741 and CVE-2024-46981

Redis was affected by CVE-2024-51741 and CVE-2024-46981

No Comments

CVE-2024-51741

Description:
This vulnerability affects Redis, an open-source in-memory data structure store used as a database, cache, and message broker. The issue arises when an authenticated user with sufficient privileges creates a malformed Access Control List (ACL) selector. When this malformed selector is accessed, it causes the Redis server to panic and crash, leading to a denial of service (DoS).

Technical Details:

  • Attack Vector: Local and remote, requiring authentication.
  • Impact: The vulnerability can be exploited to cause a server crash, disrupting services and potentially leading to data loss or unavailability.
  • Conditions: An attacker must have sufficient privileges to create or modify ACL selectors.

Mitigation:

  • Update Redis: Ensure that your Redis installation is updated to the latest versions that have patched this vulnerability. The issue has been fixed in Redis versions 7.2.7 and 7.4.2.
  • Review and Audit ACL Configurations: Regularly review and audit your ACL configurations to ensure there are no malformed selectors that could trigger this vulnerability.
  • Access Controls: Restrict access to Redis to trusted users and systems to minimize the risk of exploitation.

Severity: Medium (CVSS score: 4.4)

References:

Advertisements

CVE-2024-46981

Description:
This vulnerability also affects Redis. It involves the misuse of the Lua scripting functionality within Redis. An authenticated user can craft a specific Lua script that manipulates the garbage collector in a way that could lead to remote code execution (RCE). This allows an attacker to execute arbitrary code on the server, potentially leading to full system compromise.

Technical Details:

  • Attack Vector: Local and remote, requiring authentication.
  • Impact: Successful exploitation can lead to remote code execution, granting the attacker control over the Redis server.
  • Conditions: An attacker must have the ability to run Lua scripts on the Redis server.

Mitigation:

  • Update Redis: Ensure your Redis installation is updated to the latest versions that have addressed this vulnerability. The issue has been fixed in Redis versions 7.2.7, 7.4.2, and 6.2.17.
  • Restrict Lua Script Execution: Use ACL to restrict the execution of Lua scripts to trusted users only. This can help prevent unauthorized users from exploiting this vulnerability.
  • Regular Audits: Conduct regular security audits of your Redis installations to detect and mitigate potential vulnerabilities.

Severity: High (CVSS score: 7.0)

References:

Advertisements

Conclusion

Both CVE-2024-51741 and CVE-2024-46981 highlight the importance of regularly updating software and applying security best practices. By keeping your Redis installations up to date and implementing strict access controls, you can mitigate the risks associated with these vulnerabilities.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.