Redis is one of the most popular in-memory databases out there. It's lightweight, super-fast, and widely used for caching, session storage, queues, and more. But like any piece of software, Redis isn’t immune to bugs, and some of these flaws can spell trouble for your systems. One such problem came to light with CVE-2022-36021—a denial-of-service (DoS) vulnerability that could be exploited with nothing more than a special pattern in a search command. In this deep dive, we'll break down how this issue works, how it can be abused, and how you can protect yourself.
What is CVE-2022-36021?
CVE-2022-36021 is a serious flaw in Redis (versions before 6..18, 6.2.11, and 7..9), a very popular database system. With this vulnerability, an authenticated user can send certain string matching patterns using commands like SCAN or KEYS to cause Redis to hang and use 100% of CPU. This can make your entire Redis service stop responding, which is a big deal for any app that relies on fast, in-memory storage.
How Does It Work?
A key feature in Redis is pattern matching. Let’s say you want to fetch all keys that start with user:, you might use:
SCAN MATCH user:*
However, pattern matching in Redis uses an internal wildcard and string matching algorithm. If a user passes a specially crafted pattern—that's complex or causes lots of backtracking—this algorithm can get overwhelmed and eat all the CPU cycles, freezing Redis.
That’s all it takes for someone with access: send the right pattern, and your Redis server could become useless.
The two main commands involved
- KEYS — Searches keys in the database by a pattern. Not recommended for production since it blocks the server during operation.
For example, both of these are vulnerable
KEYS *foo\[\]*bar*
SCAN MATCH *foo\[\]*bar*
But the real attack comes when an attacker uses a highly complex pattern.
The Exploit in Action
Let’s see a demonstration in a simplified form. Assume you’re connected and authenticated to a vulnerable Redis instance.
Here’s a regex-like glob pattern that can cause Redis to choke ([[[[[[[[[[[[[[[")
Using redis-cli
redis-cli --scan --pattern '[[[[[[[[[[[[[[[[*'
Or with a Python script
3. Watch Redis Hang
Why Is This a Big Deal?
- Easy to Trigger: Any authenticated user (or app with valid credentials) can cause this. No special privileges needed.
- Affects Availability: Your caching, session, or queue system could go down, impacting users and services connected to Redis.
- Widespread Impact: Redis is used literally everywhere; Docker, Kubernetes, many public clouds, and almost every web stack.
Real-World Scenarios
- Insider Threats: An employee or service account with valid login could deliberately or accidentally take Redis down.
- Compromised Apps: If an attacker gets access to one of your app’s Redis credentials, they could use this to DoS your cache or queue.
- Multi-tenant Deployments: Hosting providers with shared Redis instances can have one bad tenant knocking out services for everyone else.
Fix: Upgrade Redis Now
The only proper fix is to upgrade your Redis instance.
7..9
If you’re running any version older than these, you’re still exposed!
You can check your current Redis version like this
redis-cli INFO SERVER | grep redis_version And update Redis following [the official guide.
References
- Official CVE Record: CVE-2022-36021
- Redis SECURITY.md
- Redis 6..18 Release Notes
- Redis 6.2.11 Release Notes
- Redis 7..9 Release Notes
- Understanding Redis Pattern Matching
Conclusion
CVE-2022-36021 is a pretty simple but dangerous flaw. Just one bad pattern sent by an authenticated user can lock up your Redis server, killing performance and possibly taking down your app.
If you’re running Redis in production, take five minutes right now to check your version—and upgrade if needed. Secure your access, watch for abuse, and you’ll keep your in-memory data fast and safe.
Timeline
Published on: 03/01/2023 16:15:00 UTC
Last modified on: 03/09/2023 01:07:00 UTC