Security update for redis SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2122-1 Final 1 1 2023-05-08T09:29:38Z current 2023-05-08T09:29:38Z 2023-05-08T09:29:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for redis This update for redis fixes the following issues: - CVE-2022-36021: Fixed possible integer overflow via specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands (bsc#1208790). - CVE-2023-28856: Fixed possible DoS when using HINCRBYFLOAT to create an hash field (bsc#1210548). - CVE-2023-25155: Fixed integer overflow in RAND commands that can lead to assertion (bsc#1208793). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-2122,SUSE-SLE-Module-Server-Applications-15-SP4-2023-2122,openSUSE-SLE-15.4-2023-2122 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232122-1/ Link for SUSE-SU-2023:2122-1 https://lists.suse.com/pipermail/sle-updates/2023-May/029258.html E-Mail link for SUSE-SU-2023:2122-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1208790 SUSE Bug 1208790 https://bugzilla.suse.com/1208793 SUSE Bug 1208793 https://bugzilla.suse.com/1210548 SUSE Bug 1210548 https://www.suse.com/security/cve/CVE-2022-36021/ SUSE CVE CVE-2022-36021 page https://www.suse.com/security/cve/CVE-2023-25155/ SUSE CVE CVE-2023-25155 page https://www.suse.com/security/cve/CVE-2023-28856/ SUSE CVE CVE-2023-28856 page SUSE Linux Enterprise Module for Server Applications 15 SP4 openSUSE Leap 15.4 redis-6.2.6-150400.3.19.1 redis-6.2.6-150400.3.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 redis-6.2.6-150400.3.19.1 as a component of openSUSE Leap 15.4 Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9. CVE-2022-36021 SUSE Linux Enterprise Module for Server Applications 15 SP4:redis-6.2.6-150400.3.19.1 openSUSE Leap 15.4:redis-6.2.6-150400.3.19.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232122-1/ https://www.suse.com/security/cve/CVE-2022-36021.html CVE-2022-36021 https://bugzilla.suse.com/1208790 SUSE Bug 1208790 https://bugzilla.suse.com/1208793 SUSE Bug 1208793 Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. This problem affects all Redis versions. Patches were released in Redis version(s) 6.0.18, 6.2.11 and 7.0.9. CVE-2023-25155 SUSE Linux Enterprise Module for Server Applications 15 SP4:redis-6.2.6-150400.3.19.1 openSUSE Leap 15.4:redis-6.2.6-150400.3.19.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232122-1/ https://www.suse.com/security/cve/CVE-2023-25155.html CVE-2023-25155 https://bugzilla.suse.com/1208790 SUSE Bug 1208790 https://bugzilla.suse.com/1208793 SUSE Bug 1208793 Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue. CVE-2023-28856 SUSE Linux Enterprise Module for Server Applications 15 SP4:redis-6.2.6-150400.3.19.1 openSUSE Leap 15.4:redis-6.2.6-150400.3.19.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232122-1/ https://www.suse.com/security/cve/CVE-2023-28856.html CVE-2023-28856 https://bugzilla.suse.com/1210548 SUSE Bug 1210548