Bug 13575

Summary: [CVE 21] redis 7.0.11 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, e.kosachev, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2022-24834, CVE-2022-31144, CVE-2022-35951, CVE-2023-36824,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-08-24 00:22:59 MSK 
Please patch CVEs for package redis version 7.0.11
  
INFO (CVEs are): redis 7.0.11
 cves found
CVE-2022-24834
Desc: Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-24834
Severity: HIGH
CVE-2022-31144
Desc: Redis is an in-memory database that persists on disk. A specially crafted `XAUTOCLAIM` command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. This problem affects versions on the 7.x branch prior to 7.0.4. The patch is released in version 7.0.4.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-31144
Severity: HIGH
CVE-2022-35951
Desc: Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. This has been patched in Redis version 7.0.5. No known workarounds exist.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-35951
Severity: CRITICAL
CVE-2023-36824
Desc: Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.


Link: https://nvd.nist.gov/vuln/detail/CVE-2023-36824
Severity: HIGH
Comment 1 Svyatoslav Matveev 2023-08-25 12:09:39 MSK 
********** QA ADVISORY **********

Уязвимости закрыты обновлением.

*** redis
**  upd: 7.0.11 .. 7.0.12 (merge rosa2023.1)

https://abf.io/build_lists/4669768
https://abf.io/build_lists/4669767
https://abf.io/build_lists/4669769
https://abf.io/build_lists/4669771
https://abf.io/build_lists/4669770
Comment 2 Dmitry Postnikov 2023-08-28 11:28:21 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-09-05 16:08:18 MSK 
redis-7.0.12-1
https://abf.io/build_lists/4669768
https://abf.io/build_lists/4669767
https://abf.io/build_lists/4669769
https://abf.io/build_lists/4669771
https://abf.io/build_lists/4669770
****************************** Advisory ************************
CVEs fix by update
****************************************************************
QA Verified
Comment 4 Yury 2023-10-19 10:51:13 MSK 
secteam_verified