- Vulnerability/
- USN-6531-1
USN-6531-1: Redis vulnerabilities
First published: Tue Dec 05 2023(Updated: )
Seiya Nakata and Yudai Fujiwara discovered that Redis incorrectly handled certain specially crafted Lua scripts. An attacker could possibly use this issue to cause heap corruption and execute arbitrary code. (CVE-2022-24834) SeungHyun Lee discovered that Redis incorrectly handled specially crafted commands. An attacker could possibly use this issue to trigger an integer overflow, which might cause Redis to allocate impossible amounts of memory, resulting in a denial of service via an application crash. (CVE-2022-35977) Tom Levy discovered that Redis incorrectly handled crafted string matching patterns. An attacker could possibly use this issue to cause Redis to hang, resulting in a denial of service. (CVE-2022-36021) Yupeng Yang discovered that Redis incorrectly handled specially crafted commands. An attacker could possibly use this issue to trigger an integer overflow, resulting in a denial of service via an application crash. (CVE-2023-25155) It was discovered that Redis incorrectly handled a specially crafted command. An attacker could possibly use this issue to create an invalid hash field, which could potentially cause Redis to crash on future access. (CVE-2023-28856) Alexander Aleksandrovič Klimov discovered that Redis incorrectly listened to a Unix socket before setting proper permissions. A local attacker could possibly use this issue to connect, bypassing intended permissions. (CVE-2023-45145)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/redis-server | <5:6.0.16-1ubuntu1+esm1 | 5:6.0.16-1ubuntu1+esm1 |
| Ubuntu Ubuntu | =22.04 | |
| All of | ||
| ubuntu/redis-tools | <5:6.0.16-1ubuntu1+esm1 | 5:6.0.16-1ubuntu1+esm1 |
| Ubuntu Ubuntu | =22.04 | |
| All of | ||
| ubuntu/redis-server | <5:5.0.7-2ubuntu0.1+esm2 | 5:5.0.7-2ubuntu0.1+esm2 |
| Ubuntu Ubuntu | =20.04 | |
| All of | ||
| ubuntu/redis-tools | <5:5.0.7-2ubuntu0.1+esm2 | 5:5.0.7-2ubuntu0.1+esm2 |
| Ubuntu Ubuntu | =20.04 | |
| All of | ||
| ubuntu/redis-server | <5:4.0.9-1ubuntu0.2+esm4 | 5:4.0.9-1ubuntu0.2+esm4 |
| Ubuntu Ubuntu | =18.04 | |
| All of | ||
| ubuntu/redis-tools | <5:4.0.9-1ubuntu0.2+esm4 | 5:4.0.9-1ubuntu0.2+esm4 |
| Ubuntu Ubuntu | =18.04 | |
| All of | ||
| ubuntu/redis-server | <2:3.0.6-1ubuntu0.4+esm2 | 2:3.0.6-1ubuntu0.4+esm2 |
| Ubuntu Ubuntu | =16.04 | |
| All of | ||
| ubuntu/redis-tools | <2:3.0.6-1ubuntu0.4+esm2 | 2:3.0.6-1ubuntu0.4+esm2 |
| Ubuntu Ubuntu | =16.04 | |
| All of | ||
| ubuntu/redis-server | <2:2.8.4-2ubuntu0.2+esm3 | 2:2.8.4-2ubuntu0.2+esm3 |
| Ubuntu Ubuntu | =14.04 | |
| All of | ||
| ubuntu/redis-tools | <2:2.8.4-2ubuntu0.2+esm3 | 2:2.8.4-2ubuntu0.2+esm3 |
| Ubuntu Ubuntu | =14.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2023-25155
- https://ubuntu.com/security/CVE-2022-36021
- https://ubuntu.com/security/CVE-2022-24834
- https://ubuntu.com/security/CVE-2023-45145
- https://ubuntu.com/security/CVE-2023-28856
- https://ubuntu.com/security/CVE-2022-35977
- https://ubuntu.com/security/notices/USN-6531-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the severity of USN-6531-1?
The severity of USN-6531-1 is high.
How does Redis handle specially crafted Lua scripts?
Redis incorrectly handles certain specially crafted Lua scripts.
What can an attacker do with the Redis vulnerability (CVE-2022-24834)?
An attacker could possibly use this issue to cause heap corruption and execute arbitrary code.
What versions of Redis are affected by USN-6531-1?
Versions 5:6.0.16-1ubuntu1+esm1, 5:5.0.7-2ubuntu0.1+esm2, 5:4.0.9-1ubuntu0.2+esm4, 2:3.0.6-1ubuntu0.4+esm2, and 2:2.8.4-2ubuntu0.2+esm3 of Redis are affected by USN-6531-1.
How can I fix the Redis vulnerabilities in Ubuntu?
Apply the recommended updates for the redis-server and redis-tools packages as mentioned in the Ubuntu Security Notices (USN) advisory USN-6531-1.
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/usn
- source/Ubuntu
- agent/software-canonical-lookup
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/22.04
- version/ubuntu ubuntu/20.04
- version/ubuntu ubuntu/18.04
- version/ubuntu ubuntu/16.04
- version/ubuntu ubuntu/14.04