Vulnerability CVE-2022-24735

Vulnerability Name:

CVE-2022-24735 (CCN-225346)

Assigned:

2022-04-27

Published:

2022-04-27

Updated:

2022-10-07

Summary:

Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.

CVSS v3 Severity:

7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

3.9 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
3.4 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

3.9 Low (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
3.4 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

3.2 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-94

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2022-24735

Source: XF
Type: UNKNOWN
redis-cve202224735-code-exec(225346)

Source: MISC
Type: Exploit, Third Party Advisory
https://github.com/redis/redis/pull/10651

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/redis/redis/releases/tag/6.2.7

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/redis/redis/releases/tag/7.0.0

Source: CCN
Type: Redis GIT Repository
Lua scripts can be manipulated to overcome ACL rules

Source: CONFIRM
Type: Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-647m-2wmq-qmvq

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-44373f6778

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-6ed1ce2838

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-a0a4c7eb31

Source: GENTOO
Type: Third Party Advisory
GLSA-202209-17

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220715-0003/

Source: CCN
Type: IBM Security Bulletin 6608610 (DataPower Gateway)
IBM DataPower Gateway affected by vulnerabilities in Redis

Source: CCN
Type: IBM Security Bulletin 6825545 (Event Streams)
Vulnerabilities in Redis affect IBM Event Streams (CVE-2022-24736, CVE-2022-24735)

Source: CCN
Type: IBM Security Bulletin 6842235 (Spectrum Protect Plus)
Vulnerabilities in Redis affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-24736, CVE-2022-24735)

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-24735

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: N/A
Type: Patch, Third Party Advisory
N/A

Vulnerable Configuration:

Configuration 1:

cpe:/a:redis:redis:7.0:rc2:*:*:*:*:*:*

OR cpe:/a:redis:redis:7.0:rc3:*:*:*:*:*:*

OR cpe:/a:redis:redis:7.0:rc1:*:*:*:*:*:*

OR cpe:/a:redis:redis:*:*:*:*:*:*:*:* (Version < 6.2.7)

Configuration 2:

cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:management_services_for_netapp_hci:-:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:redislabs:redis:6.2.5:*:*:*:*:*:*:*

OR cpe:/a:redislabs:redis:6.0.15:*:*:*:*:*:*:*

OR cpe:/a:redislabs:redis:5.0.13:*:*:*:*:*:*:*

OR cpe:/a:redislabs:redis:6.2.6:*:*:*:*:*:*:*

OR cpe:/a:redislabs:redis:6.0.16:*:*:*:*:*:*:*

OR cpe:/a:redislabs:redis:5.0.14:*:*:*:*:*:*:*

AND

cpe:/a:ibm:datapower_gateway:2018.4.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:10.0.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:10.0.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:datapower_gateway:10.5.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.redhat.rhsa:def:20228096	P	RHSA-2022:8096: redis security and bug fix update (Low)	2022-11-15
oval:com.redhat.rhsa:def:20227541	P	RHSA-2022:7541: redis:6 security, bug fix, and enhancement update (Low)	2022-11-08
oval:org.opensuse.security:def:3757	P	ppp-2.4.7-3.4 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95390	P	Security update for redis (Moderate)	2022-06-02
oval:org.opensuse.security:def:514	P	Security update for redis (Moderate)	2022-06-02
oval:org.opensuse.security:def:1670	P	Security update for redis (Moderate)	2022-05-25

BACK