Redis LUA Exploit
Severity
High
Vendor
Redis
Versions Affected
- Redis 3.0.1 or older
- Redis 2.8.20 or older
- Redis 2.6.x
Description
It was discovered that it is possible to break out of the LUA sandbox in Redis and execute arbitrary code. The user must have access to the Redis process to connect and execute the exploit to take advantage of the vulnerability.
Whilst all Redis instances are password protected and thus protected on the basis only authenticated users have access, new releases will be made available that contain the patched version of Redis.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Redis for Pivotal Cloud Foundry 1.4.4 or less
Mitigation
Users of affected versions should apply the following mitigation:
- A new release of Redis for Pivotal Cloud Foundry will be released which includes Redis 2.8.21 which resolves this vulnerability
Credit
Ben Murphy