Debian Security Advisory
DLA-3361-1 redis -- LTS security update
- Date Reported:
- 13 Mar 2023
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2022-36021.
- More information:
It was discovered that there was a potential remote denial of service vulnerability in Redis, a popular key-value database.
Authenticated users could have used string matching commands (like
KEYS) with a specially crafted pattern to trigger a denial-of-service attack, causing it to hang and consume 100% CPU time.
Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.
For Debian 10
Buster, this problem has been fixed in version 5:5.0.14-1+deb10u3.
We recommend that you upgrade your redis packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS