Redis LUA Exploit


Severity

High

Vendor

Redis

Versions Affected
  • Redis 3.0.1 or older
  • Redis 2.8.20 or older
  • Redis 2.6.x
Description

It was discovered that it is possible to break out of the LUA sandbox in Redis and execute arbitrary code. The user must have access to the Redis process to connect and execute the exploit to take advantage of the vulnerability.

Whilst all Redis instances are password protected and thus protected on the basis only authenticated users have access, new releases will be made available that contain the patched version of Redis.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Redis for Pivotal Cloud Foundry 1.4.4 or less
Mitigation

Users of affected versions should apply the following mitigation:

  • A new release of Redis for Pivotal Cloud Foundry will be released which includes Redis 2.8.21 which resolves this vulnerability
Credit

Ben Murphy

References