Soon after the publication of CVE-2022-35951, Instaclustr began investigating its potential impact on our Instaclustr for Redis™ offering. This vulnerability, which exists in Redis version 7.0.0 and greater, can be exploited by an authenticated attacker when a specially crafted XAUTOCLAIM command is executed, which can cause an integer overflow and a follow up heap overflow, which has the potential to allow remote code execution.

We believe that the security controls that exist in our managed service – including but not limited to firewalls, detection, and compartmentalization practices – lower the risk of this vulnerability. However, due to the severity of the vulnerability we have decided that releasing the newer patched version of Redis and subsequently upgrading customers on a vulnerable version (i.e. any Redis 7.0.x versions released prior to Redis 7.0.5) is the best course of action. Redis 7.0.5 contains the fix and will soon be made available on the Instaclustr Managed Platform. If you have any questions please get in contact with us via our support website.

Mitigation:

• For customers on Redis 7.0.4:
  • We recommend upgrading to Redis 7.0.5 as soon as it’s available. We will be in touch with affected customers shortly to work out the next steps. We’re aiming to make it available in the coming days.
  • Alternatively, customers who want to take a more proactive stance, can limit access to their Redis cluster to only trusted clients and ensure those clients are secure. This is always good security practice in any case.
• As a further mitigation step, we will immediately be marking Redis 7.0.4 as Legacy Support, as per our lifecycle policy.

If you have any further queries regarding this vulnerability and how it relates to Instaclustr services, please contact [email protected].

References: https://nvd.nist.gov/vuln/detail/CVE-2022-35951