Security Advisory: CVE-2024-46981, CVE-2024-51737, CVE-2024-51480, CVE-2024-55656

What happened?

As part of our ongoing effort to maintain the safety, security, and compliance posture of Redis, four security vulnerabilities in Redis and Redis Modules/Stack have been identified and remediated in the versions indicated below.

What are the vulnerabilities?

[CVE-2024-46981] Lua Use-After-Free Remote Code Execution Vulnerability. CVSS Score: 7.0 (High)

A specially crafted Lua script executing within Redis may be able to manipulate the Lua VM garbage collector, potentially leading to a Remote Code Execution (RCE). This problem affects all versions of Redis that support Lua scripts, and can only be exploited by a valid, authenticated user with appropriate network connectivity and permission to run Lua scripts.

[CVE-2024-51737] RediSearch – Integer Overflow with LIMIT or KNN Arguments Can Lead to RCE. CVSS: 7.0 (High)

An authenticated Redis user executing FT.SEARCH or FT.AGGREGATE with a specially crafted LIMITcommand argument, or FT.SEARCH with a specially crafted KNN command argument, can trigger an integer overflow, leading to heap overflow and potential remote code execution.

[CVE-2024-51480] RedisTimeSeries – Integer Overflow Remote Code Execution Vulnerability. CVSS: 7.0 (High)

Executing one of these commands TS.QUERYINDEX, TS.MGET, TS.MRAGE, TS.MREVRANGE by an authenticated user, using specially crafted command arguments may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution.

[CVE-2024-55656] RedisBloom – Integer Overflow Remote Code Execution Vulnerability. CVSS: 8.8 (High)

Executing this command `CMS.INITBYDIM` by an authenticated user, using big enough WIDTH and DEPTH command arguments, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution.

How can you protect your Redis instance?

Exploitation of these vulnerabilities requires an attacker to first gain authenticated access to your Redis instance.

There are several steps you can take to protect your Redis from being accessed by a malicious actor. To minimize the risk of exploitation, it’s important to follow these best practices:

Restrict Network Access: Ensure that only authorized users and systems have access to the Redis database. Use firewalls and network policies to limit access to trusted sources and prevent unauthorized connectivity.
Enforce Strong Authentication: Enforce the use of credentials for all access to Redis instances. Avoid configurations that allow unauthenticated access, and ensure protected-mode is enabled (in CE and OSS) to prevent accidental exposure.
Limit Permissions: Ensure that user identities with access to Redis are granted the minimum permissions necessary. Only allow trusted identities to run Lua scripts or any other potentially risky commands.

For more details on how to securely configure, deploy, and use Redis, visit the Community Edition and Enterprise Software documentation sites.

How can I remediate?

We’ve already upgraded our Redis Cloud service with the fixes, so no additional action is required from you.

If you’re self-managing Redis, whether Software or Community versions, upgrade your Redis to the latest release.

The versions of Redis OSS, CE, Stack, and Software listed below include the corrections. Once the upgrades are performed, these vulnerabilities will be remediated in your enviroment.

	Impacted releases	Fixed releases
CVE-2024-46981 Lua Use-After-Free Remote Code Execution Vulnerability CVSS Score: 7.0 (High)	All Redis Software releases	• 7.4.6-102 and above • 7.2.4-117 and above • 6.4.2-115 and above • 6.2.18-88 and above • 7.6.0-116 and above (non-GA) • 7.8.x – and above ALL the versions above Include Module CVE fixes
	All Redis OSS/CE/Stack releases	OSS/CE • 7.4.2 and above • 7.2.7 and above • 6.2.17 and above Stack • 7.4.0-v2 and above • 7.2.0-v14 and above • 6.2.6-v18 and above (in process) ALL Stack versions above include Module CVE fixes
CVE-2024-51737 (RediSearch) Integer Overflow with LIMIT or KNN Arguments Can Lead to RCE CVSS: 7.0 (High)	RediSearch versions >= 2.0	• 2.10.10 and above • 2.8.21 and above • 2.6.24 and above
CVE-2024-51480 (RedisTimeSeries) Integer Overflow Remote Code Execution Vulnerability CVSS: 7.0 (High)	RedisTimeseries versions >=1.0.0	• 1.12.5 and above • 1.10.16 and above • 1.8.16 and above
CVE-2024-55656 (RedisBloom) Integer Overflow Remote Code Execution Vulnerability CVSS: 8.8 (High)	RedisBloom versions >= 2.0	• 2.8.5 and above • 2.6.16 and above • 2.4.13 and above

How can I tell if I was already exposed?

We have no evidence of exploitation of these vulnerabilities in Redis Cloud or reported in customer environments.

Below are general indicators of potential exploitation which you may use to search within your operating environment.

These technical and behavioral indicators or artifacts could be created if exploitation occurred. If you search for these within your Redis environment, you may be able to detect potential exploitation related to your Redis instance.

Access to the Redis database from unauthorized or unknown sources
Unknown or anomalous network ingress traffic to the Redis database
Unknown or unexpected use of the EVAL and SCRIPT FLUSH commands
Unexplained Redis server crashes, specifically crashes with a stack trace that originates from the Lua engine
Unknown, unexpected, or anomalous command execution by the redis-server user
Unknown or anomalous network egress traffic (or attempts) from the Redis database
Unknown or anomalous changes to the file system, in particular in directories that host Redis persistent or configuration files

Acknowledgements

We thank the following researchers for their research in identifying these vulnerabilities and reporting them through our published process:

CVE 2024-46981 reported by p33zy working with the Trend Micro Zero Day Initiative
CVE-2024-51480 reported by iddm (Shockingly God)
CVE-2024-55656 reported by Ricardo Silva (@rick2600) and Gabriel Quadros (@gqsilva) working with Trend Micro Zero Day Initiative.