Memory leak in Redis

#VU67749 Memory leak in Redis

Published: 2022-09-29

Vulnerability identifier: #VU67749

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-33105

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Redis
Server applications / Database software

Vendor: Redis Labs

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak within the streamGetEdgeID component. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Redis: 7.0.0

External links
http://github.com/redis/redis/pull/10829
http://github.com/redis/redis/commit/4a7a4e42db8ff757cdf3f4a824f66426036034ef
http://github.com/redis/redis/pull/10753
http://raw.githubusercontent.com/redis/redis/7.0.1/00-RELEASENOTES
http://security.netapp.com/advisory/ntap-20220729-0005/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Redis

Denial of service in Redis