Security updates fix two vulnerabilities that could lead to RCE and denial-of-service

Threat ID:CC-4600

Threat Severity:Medium

Published:7 January 2025 3:44 PM

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 6.2.17, all prior to 7.2.7, all prior to 7.4.2

Redis

Threat details

Unsupported Versions

Redis versions prior to version 6.2.0 and prior to version 7.2.0 are not supported and do not receive security updates.

Introduction

Two security advisories have been released to address two vulnerabilities in Redis. Redis is a popular in-memory key-value database that persists on disk.

CVE-2024-46981 is a 'use after free' vulnerability with a CVSSv3 score of 7.0. If exploited, an authenticated attacker could use a specially crafted Lua script to achieve remote code execution.

CVE-2024-51741 is an 'improper input validation' vulnerability with a CVSSv3 score of 4.4. If exploited, an authenticated attacker with sufficient privileges may create a malformed access control list (ACL) selector which could lead to a denial-of-service condition.

Remediation advice

Affected organisations are encouraged to review Redis security advisory GHSA-39h2-x6c4-6w4c and Redis security advisory GHSA-prpq-rh5h-46g9, and apply any relevant updates as soon as practicable.

Remediation steps


Patch	CVE-2024-46981 Update to Redis version: 6.2.17 or higher 7.2.7 or higher 7.4.2 or higher https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c
Guidance	CVE-2024-46981 An additional workaround to mitigate CVE-2024-46981 without patching the redis-server executable is to prevent users from executing Lua scripts, using ACL to restrict EVAL and EVALSHA commands. https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c
Patch	CVE-2024-51741 Update to Redis version: 7.2.7 or higher 7.4.2 or higher https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9

Patch

CVE-2024-46981

Update to Redis version:

6.2.17 or higher
7.2.7 or higher
7.4.2 or higher

https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c

Guidance

CVE-2024-46981

An additional workaround to mitigate CVE-2024-46981 without patching the redis-server executable is to prevent users from executing Lua scripts, using ACL to restrict EVAL and EVALSHA commands.

https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c

Patch

CVE-2024-51741

Update to Redis version:

7.2.7 or higher
7.4.2 or higher

https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished

CVE-2024-46981An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

StatusPublished

CVE-2024-51741An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2.

Last edited: 7 January 2025 3:44 pm