Security Notice
Last updated date: December 13, 2021
On December 9, 2021 a vulnerability (CVE-2021-44228) impacting versions 2.0-beta9 to 2.14.1 of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub.
Redis is aware of and evaluating this vulnerability. This is a developing product security event and product status can change as more information becomes available.
Redis Enterprise (our self-managed software product) does not use Java and is therefore not impacted by this vulnerability.
Redis Cloud (our managed cloud service) is not directly impacted by this vulnerability. We have identified and taken steps to mitigate this vulnerability in our Cloud API (CAPI) and limited parts of our management infrastructure.
No workarounds or mitigations are required for Redis products at this time.
Open source Redis does not use Java and is therefore not impacted by this vulnerability.
Jedis is a Redis sponsored Java client. It uses the affected library in test suites only. A new Jedis release is now available that mitigates the vulnerability. End users are advised to evaluate their exposure to determine upgrade urgency.
End users are advised to follow updates and guidance from the maintainers and the community.
We continue to actively monitor our business infrastructure to identify vulnerable assets but there is no action on the part of our customers required. Where we have identified this potential vulnerability in our business infrastructure, we have been running an ongoing effort to upgrade these systems and deploy appropriate fixes to ensure their integrity.
We will continue to evaluate this matter, and if we determine Redis or our customers are impacted going forward, we will take all appropriate measures to help protect our customers and provide additional communications. We appreciate your trust in us as we continue to make your success our top priority.
