Security Advisory: CVE-2022-24735 Redis™

Technical
Redis

June 30, 2022
By Carrie Powick

Soon after the publication of CVE-2022-24735, Instaclustr began investigating its potential impact on our Redis™ offering. This vulnerability allows weaknesses in the Lua script execution environment to be exploited. An attacker with access to vulnerable versions could inject Lua code to be run by a user with high privileges.

We believe this vulnerability is not exploitable under our managed service, due to the ACLs that we apply to our standard users. However, due to the severity of the vulnerability, we decided that releasing the newer version of Redis was the best course of action. Redis 6.2.7 contains the fix and is now available on the Instaclustr Managed Platform. We recommend our customers running Redis 6.2.6 upgrade to this newer version. To do so, please get in touch with us via our support website.

Mitigation:

We recommend upgrading to Redis 6.2.7.

If you have any further queries regarding this vulnerability and how it relates to Instaclustr services, please contact [email protected].

References: https://nvd.nist.gov/vuln/detail/CVE-2022-24735

Instaclustr for Redis™ provides a fully managed service for Redis—SOC 2 certified and hosted in the cloud.

Get Started

Instaclustr Announces the General Availability of Instaclustr for Redis™ on Graviton 2

Redis Mirroring Is Now Generally Available

Redis™ 6.2.6 and Customer-Initiated Resize Are Now Generally Available