CVE-2018-14633: The further_check_cred function in the Redis key value cache (redis_key_value_cache) in Redis on Red Hat Enterprise Linux (RHEL) 7 and Red Hat Enterprise Linux (RHEL) 6 is vulnerable to an information leak, which could allow a local user to obtain sensitive information from kernel memory. Redis is a data structure store, frequently associated with databases and used as a data source, similar to SQL. Redis has a very active open source community, with many third party packages, including a key value cache. An information leak in the further_check_cred function in the Redis key value cache (redis_key_value_cache) in Redis on Red Hat Enterprise Linux (RHEL) 7 and Red Hat Enterprise Linux (RHEL) 6 could allow a local user to obtain sensitive information from kernel memory. Redis is a data structure store, frequently associated with databases and used as a data source, similar to SQL. Redis has a very active open source community, with many third party packages, including a key value cache. Redis is commonly used in clusters with high availability requirements, such as MariaDB and PostgreSQL, and the information leak may lead to data inaccessibility, which in turn may lead to data corruption. It is recommended to apply the following mitigations for this issue: Redis 5.0.x and earlier: Upgrade to 5.

References

* CVE-2022-40768
* CVE-2018-14633

Redis 3.x, 2.x and earlier

: Upgrade to 3.x.
Redis 4.0 and later: Upgrade to 4.0 or later.
Redis 5.0 and later: Upgrade to 5.0 or later.
Redis 6.x, 7.x, 8.x: A patch is available in the following repository: " https://github.com/redis/redis/releases

References:

1. https://access.redhat.com/security/cve/CVE-2018-14633
2. https://access.redhat.com/security/cve/CVE-2022-40768

Timeline

Published on: 09/18/2022 05:15:00 UTC
Last modified on: 09/21/2022 15:07:00 UTC

References