Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3361-1 redis

Debian Security Advisory

DLA-3361-1 redis -- LTS security update

Date Reported:

13 Mar 2023

Affected Packages:

redis

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2022-36021.

More information:

It was discovered that there was a potential remote denial of service vulnerability in Redis, a popular key-value database.

Authenticated users could have used string matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack, causing it to hang and consume 100% CPU time.

• CVE-2022-36021

  Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.

For Debian 10 Buster, this problem has been fixed in version 5:5.0.14-1+deb10u3.

We recommend that you upgrade your redis packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS