Bug 1198952 - (CVE-2022-24735) VUL-0: CVE-2022-24735: redis: Lua code injection
(CVE-2022-24735)
VUL-0: CVE-2022-24735: redis: Lua code injection
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
CVSSv3.1:SUSE:CVE-2022-24735:3.9:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-27 21:14 UTC by Andreas Stieger
Modified: 2022-06-02 19:18 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2022-04-27 21:14:42 UTC
In Redis before 6.2.7, by exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.

References:
https://raw.githubusercontent.com/redis/redis/6.2/00-RELEASENOTES
Comment 1 Andreas Stieger 2022-04-27 21:23:59 UTC
bump to 6.2.7 https://build.opensuse.org/request/show/973269
Comment 3 Danilo Spinella 2022-05-03 09:15:47 UTC
codestream              | redis
SUSE:SLE-15:Update      | 6.0.14 
SUSE:SLE-15-SP2:Update  | 6.0.14
SUSE:SLE-15-SP4:Update  | 6.2.6

The patch doesn't apply to 6.0.14, the codebase is too different. In addition, 6.0.x is not maintained anymore, so there is no release fixing this CVE. How should I proceed?

https://github.com/redis/redis/pull/10651

For SLE-15-SP4:Update I'll open an ECO to update to 6.2.7.
Comment 4 Danilo Spinella 2022-05-03 09:58:50 UTC
After checking the patch from 6.2.7, it does apply to 6.0.14, so I will use that. 

I have checked redis 6.2.7 release, it contains minor breaking changes, so I think it's better to just backport the fixes.
Comment 5 Andreas Stieger 2022-05-03 10:05:10 UTC
Don't forget to include the 6.0.16 fixes you still have open
Comment 6 Danilo Spinella 2022-05-03 10:29:25 UTC
(In reply to Andreas Stieger from comment #5)
> Don't forget to include the 6.0.16 fixes you still have open

Which fixes are you referring to?
Comment 8 Andreas Stieger 2022-05-03 11:01:47 UTC
CVE-2021-41099 bug 1191299
CVE-2021-32762 bug 1191300
CVE-2021-32687 bug 1191302
CVE-2021-32675 bug 1191303
CVE-2021-32672 bug 1191304
CVE-2021-32628 bug 1191305
CVE-2021-32627 bug 1191305
CVE-2021-32626 bug 1191306 	

Fixed in SUSE:SLE-15-SP2:Update/redis but not SUSE:SLE-15:Update/redis. Bringing this up since you mentioned SUSE:SLE-15:Update/redis explicitly.
Comment 9 Danilo Spinella 2022-05-03 14:43:20 UTC
Ah yea. thanks for reminding me. I also included the fixes for those bugs.
Comment 11 Swamp Workflow Management 2022-05-25 16:16:06 UTC
SUSE-SU-2022:1842-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1198952,1198953
CVE References: CVE-2022-24735,CVE-2022-24736
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    redis-6.0.14-150200.6.11.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    redis-6.0.14-150200.6.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-06-02 19:18:41 UTC
SUSE-SU-2022:1929-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1198952,1198953
CVE References: CVE-2022-24735,CVE-2022-24736
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    redis-6.2.6-150400.3.3.7
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    redis-6.2.6-150400.3.3.7

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.