Bug 2221662 (CVE-2022-24834)

Summary: CVE-2022-24834 redis: heap overflow in the lua cjson and cmsgpack libraries
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acrosby, adudiak, agarcial, aileenc, amasferr, aoconnor, asegurap, bbuckingham, bcourt, bdettelb, caswilli, chazlett, crarobin, dffrench, dhughes, eglynn, ehelms, epacific, fjansen, gmalinko, gparvin, gzaronik, hhorak, hkataria, janstey, jburrell, jcammara, jhardy, jjoyce, jmadigan, jmitchel, jneedle, jobarker, jorton, jsherril, jtanner, kaycoth, kshier, lhh, lzap, mabashia, mburns, mgarciac, mhulan, micjohns, mkleinhe, mkudlej, myarboro, nathans, ngough, njean, nmoumoul, nweather, oezr, orabin, owatkins, pahickey, pamccart, pcreech, pdelbell, pgrist, rchan, rcollet, redis-maint, rgodfrey, simaishi, smcdonal, stcannon, sthirugn, teagle, tjochec, vkrizan, vmugicag, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: redis 7.0.12, redis 6.2.13, redis 6.0.20 Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow flaw was found in Redis. This flaw allows a local authenticated attacker user or attacker to execute a specially crafted Lua script in Redis. This attack triggers a heap overflow in the cjson and cmsgpack libraries, resulting in heap corruption and potential remote code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2222024, 2221671, 2221672, 2221674, 2221675, 2221676, 2221677, 2221678, 2221679, 2221681, 2221682, 2221692, 2221693, 2222025    
Bug Blocks: 2221650    

Description Zack Miele 2023-07-10 14:50:00 UTC 
CVE-2022-24834 - A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users.

https://github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838
Comment 3 TEJ RATHI 2023-07-11 15:00:13 UTC 
Created redis tracking bugs for this issue:

Affects: epel-all [bug 2222024]
Affects: fedora-all [bug 2222025]
Comment 7 errata-xmlrpc 2025-01-22 10:35:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:0595 https://access.redhat.com/errata/RHSA-2025:0595
Comment 8 errata-xmlrpc 2025-01-27 01:25:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:0693 https://access.redhat.com/errata/RHSA-2025:0693