Security update for redis SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:3407-1 Final 1 1 2023-08-23T18:08:28Z current 2023-08-23T18:08:28Z 2023-08-23T18:08:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for redis This update for redis fixes the following issues: - CVE-2023-28856: Fixed possible DoS when using HINCRBYFLOAT to create an hash field. (bsc#1210548) - CVE-2022-24834: Fixed a heap overflow in the cjson and cmsgpack libraries. (bsc#1213193) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-3407,SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-3407,SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-3407,SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-3407,SUSE-SLE-Product-RT-15-SP3-2023-3407,SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-3407,SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-3407,SUSE-SLE-Product-SLES_SAP-15-SP2-2023-3407,SUSE-SLE-Product-SLES_SAP-15-SP3-2023-3407,SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-3407,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-3407,SUSE-Storage-7-2023-3407,SUSE-Storage-7.1-2023-3407 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20233407-1/ Link for SUSE-SU-2023:3407-1 https://lists.suse.com/pipermail/sle-security-updates/2023-August/016003.html E-Mail link for SUSE-SU-2023:3407-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1210548 SUSE Bug 1210548 https://bugzilla.suse.com/1213193 SUSE Bug 1213193 https://www.suse.com/security/cve/CVE-2022-24834/ SUSE CVE CVE-2022-24834 page https://www.suse.com/security/cve/CVE-2023-28856/ SUSE CVE CVE-2023-28856 page SUSE Enterprise Storage 7 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.2 SUSE Manager Server 4.2 redis-6.0.14-150200.6.26.1 redis-6.0.14-150200.6.26.1 as a component of SUSE Enterprise Storage 7 redis-6.0.14-150200.6.26.1 as a component of SUSE Enterprise Storage 7.1 redis-6.0.14-150200.6.26.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS redis-6.0.14-150200.6.26.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS redis-6.0.14-150200.6.26.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS redis-6.0.14-150200.6.26.1 as a component of SUSE Linux Enterprise Real Time 15 SP3 redis-6.0.14-150200.6.26.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS redis-6.0.14-150200.6.26.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS redis-6.0.14-150200.6.26.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 redis-6.0.14-150200.6.26.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 redis-6.0.14-150200.6.26.1 as a component of SUSE Manager Proxy 4.2 redis-6.0.14-150200.6.26.1 as a component of SUSE Manager Server 4.2 Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20. CVE-2022-24834 SUSE Enterprise Storage 7.1:redis-6.0.14-150200.6.26.1 SUSE Enterprise Storage 7:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise Real Time 15 SP3:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise Server 15 SP2-LTSS:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise Server 15 SP3-LTSS:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:redis-6.0.14-150200.6.26.1 SUSE Manager Proxy 4.2:redis-6.0.14-150200.6.26.1 SUSE Manager Server 4.2:redis-6.0.14-150200.6.26.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233407-1/ https://www.suse.com/security/cve/CVE-2022-24834.html CVE-2022-24834 https://bugzilla.suse.com/1213193 SUSE Bug 1213193 Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue. CVE-2023-28856 SUSE Enterprise Storage 7.1:redis-6.0.14-150200.6.26.1 SUSE Enterprise Storage 7:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise Real Time 15 SP3:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise Server 15 SP2-LTSS:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise Server 15 SP3-LTSS:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:redis-6.0.14-150200.6.26.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:redis-6.0.14-150200.6.26.1 SUSE Manager Proxy 4.2:redis-6.0.14-150200.6.26.1 SUSE Manager Server 4.2:redis-6.0.14-150200.6.26.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233407-1/ https://www.suse.com/security/cve/CVE-2023-28856.html CVE-2023-28856 https://bugzilla.suse.com/1210548 SUSE Bug 1210548