Redis Patches for Multi Flaws, Including Potential RCE (CVE-2024-31449)

by do son · October 6, 2024

Redis, a popular open-source data structure store often used as a database, cache, and message broker, has urged users to update their installations immediately following the discovery of three new security flaws. These flaws, which range from remote code execution (RCE) to denial-of-service (DoS) risks, could severely compromise systems if left unpatched. Three key vulnerabilities—CVE-2024-31449, CVE-2024-31227, and CVE-2024-31228—have been identified, and Redis has promptly released updated versions to address these issues.

The most severe of these vulnerabilities tracked as CVE-2024-31449, carries a CVSS score of 8.8 and could allow remote attackers to execute arbitrary code on affected systems. This critical vulnerability stems from a boundary error within Redis’s Lua scripting engine. By supplying a specially crafted Lua script, attackers can trigger a stack-based buffer overflow, potentially hijacking the server process and executing malicious commands.

In addition to the remote code execution vulnerability, Redis also patched two denial-of-service flaws. CVE-2024-31227 (CVSS score 4.5) involves malformed Access Control List (ACL) selectors, while CVE-2024-31228 (CVSS score 6.5) arises from unbounded pattern matching. Both vulnerabilities allow remote attackers to crash Redis servers, disrupting applications and services that rely on them.

Redis has addressed these vulnerabilities in versions 7.4.1, 7.2.6, and 6.2.16. Users are strongly advised to update their installations to these versions as soon as possible.

Given the popularity of Redis and the severity of these vulnerabilities, we expect to see attackers actively attempting to exploit them in the wild. Organizations should prioritize patching their Redis instances to mitigate the risk of compromise.