Bug 2336004 (CVE-2024-46981) - CVE-2024-46981 redis: Redis' Lua library commands may lead to remote code execution
Summary: CVE-2024-46981 redis: Redis' Lua library commands may lead to remote code exe...
Keywords:
Status: NEW
Alias: CVE-2024-46981
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2336073
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-01-06 22:01 UTC by OSIDB Bzimport
Modified: 2025-01-27 02:35 UTC (History)
65 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2025:0638 0 None None None 2025-01-23 00:06:01 UTC
Red Hat Product Errata RHBA-2025:0698 0 None None None 2025-01-27 02:35:18 UTC
Red Hat Product Errata RHSA-2025:0398 0 None None None 2025-01-20 01:16:41 UTC
Red Hat Product Errata RHSA-2025:0399 0 None None None 2025-01-20 01:17:26 UTC
Red Hat Product Errata RHSA-2025:0400 0 None None None 2025-01-20 01:16:03 UTC
Red Hat Product Errata RHSA-2025:0566 0 None None None 2025-01-21 21:15:57 UTC
Red Hat Product Errata RHSA-2025:0595 0 None None None 2025-01-22 10:36:37 UTC
Red Hat Product Errata RHSA-2025:0640 0 None None None 2025-01-23 02:19:01 UTC
Red Hat Product Errata RHSA-2025:0685 0 None None None 2025-01-27 01:26:02 UTC
Red Hat Product Errata RHSA-2025:0689 0 None None None 2025-01-27 01:25:51 UTC
Red Hat Product Errata RHSA-2025:0692 0 None None None 2025-01-27 01:35:17 UTC
Red Hat Product Errata RHSA-2025:0693 0 None None None 2025-01-27 01:25:23 UTC

Description OSIDB Bzimport 2025-01-06 22:01:06 UTC 
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Comment 2 errata-xmlrpc 2025-01-20 01:15:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:0400 https://access.redhat.com/errata/RHSA-2025:0400
Comment 3 errata-xmlrpc 2025-01-20 01:16:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:0398 https://access.redhat.com/errata/RHSA-2025:0398
Comment 4 errata-xmlrpc 2025-01-20 01:17:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:0399 https://access.redhat.com/errata/RHSA-2025:0399
Comment 5 errata-xmlrpc 2025-01-21 21:15:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:0566 https://access.redhat.com/errata/RHSA-2025:0566
Comment 6 errata-xmlrpc 2025-01-22 10:36:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:0595 https://access.redhat.com/errata/RHSA-2025:0595
Comment 7 errata-xmlrpc 2025-01-23 02:18:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:0640 https://access.redhat.com/errata/RHSA-2025:0640
Comment 8 errata-xmlrpc 2025-01-27 01:25:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:0693 https://access.redhat.com/errata/RHSA-2025:0693
Comment 9 errata-xmlrpc 2025-01-27 01:25:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:0689 https://access.redhat.com/errata/RHSA-2025:0689
Comment 10 errata-xmlrpc 2025-01-27 01:25:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2025:0685 https://access.redhat.com/errata/RHSA-2025:0685
Comment 11 errata-xmlrpc 2025-01-27 01:35:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:0692 https://access.redhat.com/errata/RHSA-2025:0692
Note You need to log in before you can comment on or make changes to this bug.