Two vulnerabilities have been discovered in Redis, the popular in-memory database, leaving millions of users at risk. CVE-2024-51741 allows attackers to trigger a denial-of-service (DoS) attack, while CVE-2024-46981 could enable remote code execution (RCE).
CVE-2024-51741 (CVSS 4.4), a DoS vulnerability, exists in Redis versions 7.0.0 and newer. An attacker with sufficient privileges can exploit this flaw by creating a malformed ACL selector, causing the server to panic and crash.
CVE-2024-46981 (CVSS 7.0) poses an even greater threat, as it could allow an attacker to execute arbitrary code on the server. This vulnerability affects all versions of Redis with Lua scripting enabled. By using a specially crafted Lua script, attackers can manipulate the garbage collector to achieve RCE.
Redis users are strongly urged to update their instances to the latest patched versions immediately. The DoS vulnerability (CVE-2024-51741) is fixed in versions 7.2.7 and 7.4.2. The RCE vulnerability (CVE-2024-46981) is fixed in versions 6.2.x, 7.2.x, and 7.4.x.
As a temporary workaround for CVE-2024-46981, users can disable Lua scripting by restricting the EVAL and EVALSHA commands using ACL. However, patching the redis-server executable with the latest updates is the recommended solution.
Redis users should prioritize patching their systems to avoid falling victim to these serious security flaws.
Related Posts:
- Redis Servers Exploited to Deploy Metasploit Meterpreter Backdoor
- Redis Patches for Multi Flaws, Including Potential RCE (CVE-2024-31449)
- Redis flaw could lead to execute arbitrary code attacks
- CVE-2024-31989: Critical Argo CD Flaw Exposes Kubernetes Clusters to Takeover
- Redis Remote Code Execution Vulnerability
