1228327 – (CVE-2015-4335) CVE-2015-4335 redis: Lua sandbox escape and arbitrary code execution

Bug 1228327 (CVE-2015-4335) - CVE-2015-4335 redis: Lua sandbox escape and arbitrary code execution

Summary: CVE-2015-4335 redis: Lua sandbox escape and arbitrary code execution

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-4335
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1228331 1228332 1242869 1243157
Blocks:	1228330
TreeView+	depends on / blocked

Reported:	2015-06-04 15:39 UTC by Vasyl Kaigorodov
Modified:	2021-02-17 05:14 UTC (History)
CC List:	20 users (show)
Fixed In Version:	Redis 2.8.21, Redis 3.0.2
Clone Of:
Environment:
Last Closed:	2017-09-07 08:00:55 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1676	0	normal	SHIPPED_LIVE	Moderate: redis security advisory	2015-08-25 00:17:54 UTC

Description Vasyl Kaigorodov 2015-06-04 15:39:14 UTC

New Redis release (https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ) fixes a critical security issue that allows remote code execution with the account that runs Redis permissions.
Upstream patch that fixes this:
https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411

CVE request: http://seclists.org/oss-sec/2015/q2/639

Comment 1 Vasyl Kaigorodov 2015-06-04 15:44:37 UTC

Created redis tracking bugs for this issue:

Affects: fedora-all [bug 1228331]
Affects: epel-all [bug 1228332]

Comment 5 Garth Mollett 2015-07-15 05:18:13 UTC

http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/

Comment 6 Fedora Update System 2015-07-18 02:00:39 UTC

redis-2.8.21-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-07-18 02:09:51 UTC

redis-2.8.21-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 errata-xmlrpc 2015-08-24 20:18:03 UTC

This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:1676 https://rhn.redhat.com/errata/RHSA-2015-1676.html

Note You need to log in before you can comment on or make changes to this bug.

abaron
aortega
apevec
ayoung
carnil
chrisw
dallan
fabian.deutsch
fpercoco
gkotton
gmollett
i
jal233
lhh
lpeer
markmc
msamia
rbryant
rhos-maint
sclewis