Here’s what you need to do about the CVE-2022-24834 and CVE-2023-36824 vulnerabilities, as well as the updates available for affected customers.
We were made aware that Redis was affected by two security vulnerabilities, CVE-2022-24834 and CVE-2023-36824. CVE-2022-24834 uses a specially crafted Lua script in Redis that can trigger a heap overflow in the cJSON and cmsgpack libraries, resulting in heap corruption and potentially remote code execution. CVE-2023-36824 extracts key names from a command and a list of arguments that can also trigger a heap overflow and result in reading heap memory, heap corruption, and potentially remote code execution.
Redis has, of course, taken action to prevent everyone from harm.
CVE-2023-36824 only affects 7.X versions.
No action is needed by Redis Enterprise Cloud customers. However, we encourage all Redis Enterprise, Redis Open Source, and Redis Stack customers to upgrade to a supported and patched version immediately.
We thank the security research community for helping us to keep Redis secure!