Impact
A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution.
The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users.
Patches
The problem is fixed in versions 7.0.12, 6.2.13, 6.0.20.
Workarounds
An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Credit
The problem was reported by Seiya Nakata and Yudai Fujiwara, security researchers from Ricerca Security, Inc.
For more information
If you have any questions or comments about this advisory:
Impact
A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution.
The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users.
Patches
The problem is fixed in versions 7.0.12, 6.2.13, 6.0.20.
Workarounds
An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Credit
The problem was reported by Seiya Nakata and Yudai Fujiwara, security researchers from Ricerca Security, Inc.
For more information
If you have any questions or comments about this advisory: