CVE-2020-14147 Overview
CVE-2020-14147 is an integer overflow vulnerability in the getnum function within lua_struct.c in Redis versions prior to 6.0.3. This flaw allows attackers with permission to run Lua code in a Redis session to cause a denial of service through memory corruption and application crash, or potentially bypass intended sandbox restrictions. The vulnerability is triggered by providing a large number that causes a stack-based buffer overflow. Notably, this issue exists as a regression of a previously addressed vulnerability (CVE-2015-8080).
Critical Impact
Authenticated attackers with Lua script execution permissions can crash Redis instances or potentially escape sandbox restrictions, leading to service disruption and possible further exploitation in multi-tenant environments.
Affected Products
- Redis Labs Redis (versions prior to 6.0.3)
- Oracle Communications Operations Monitor (versions 3.4, 4.1, 4.2, 4.3)
- SUSE Linux Enterprise 12.0
- Debian Linux 10.0
Discovery Timeline
- 2020-06-15 - CVE-2020-14147 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-14147
Vulnerability Analysis
This integer overflow vulnerability exists in the Lua struct library bundled with Redis. The getnum function in lua_struct.c parses numeric values from format strings without properly validating the size of the accumulated integer. When processing format strings containing large numeric specifiers, the function performs arithmetic operations that can overflow the integer variable, resulting in unexpected behavior.
The vulnerability specifically manifests during the parsing loop where digits are accumulated. Each iteration multiplies the current value by 10 and adds the next digit, but no bounds checking is performed to prevent the integer from exceeding INT_MAX. This unchecked arithmetic allows an attacker to trigger a stack-based buffer overflow through carefully crafted Lua struct operations.
Root Cause
The root cause is insufficient integer overflow protection in the getnum function. The original fix for CVE-2015-8080 was either incomplete or was inadvertently removed in subsequent code changes, leading to this regression. The function directly multiplies and adds integer values without verifying that the result remains within valid bounds before proceeding with the calculation.
Attack Vector
An attacker requires authenticated access to a Redis instance with permission to execute Lua scripts. By crafting a Lua script that uses the struct library with maliciously large numeric format specifiers, the attacker can trigger the integer overflow. This network-accessible attack requires low privileges (authenticated access) and no user interaction.
The attack flow involves:
- Connecting to a vulnerable Redis instance with valid credentials
- Executing a Lua script using EVAL or EVALSHA commands
- Calling struct functions with format strings containing extremely large numbers
- Triggering the integer overflow in getnum, leading to memory corruption
// Security patch from deps/lua/src/lua_struct.c
// Source: https://github.com/antirez/redis/commit/ef764dde1cca2f25d00686673d1bc89448819571
} Header;
-static int getnum (const char **fmt, int df) {
+static int getnum (lua_State *L, const char **fmt, int df) {
if (!isdigit(**fmt)) /* no number? */
return df; /* return default value */
else {
int a = 0;
do {
+ if (a > (INT_MAX / 10) || a * 10 > (INT_MAX - (**fmt - '0')))
+ luaL_error(L, "integral size overflow");
a = a*10 + *((*fmt)++) - '0';
} while (isdigit(**fmt));
return a;
The patch adds proper bounds checking before each arithmetic operation, verifying that multiplying by 10 and adding the next digit won't exceed INT_MAX. If an overflow would occur, a Lua error is raised instead of proceeding with corrupted values.
Detection Methods for CVE-2020-14147
Indicators of Compromise
- Unexpected Redis process crashes or restarts, particularly after Lua script execution
- Core dumps indicating memory corruption in lua_struct.c or related Lua library functions
- Anomalous Lua script executions containing unusually large numeric literals in struct operations
- Redis error logs showing segmentation faults or memory access violations
Detection Strategies
- Monitor Redis logs for crash events correlating with EVAL or EVALSHA command execution
- Implement Lua script auditing to flag struct operations with numeric specifiers exceeding reasonable thresholds
- Deploy application-level monitoring to detect unusual patterns in Lua script submissions
- Use memory corruption detection tools in staging environments to identify exploitation attempts
Monitoring Recommendations
- Enable Redis slow log and monitor for complex Lua scripts that may indicate exploitation attempts
- Configure process monitoring to alert on unexpected Redis terminations
- Implement network monitoring to detect authenticated sessions executing suspicious Lua code
- Review Redis ACLs regularly to ensure Lua script permissions are appropriately restricted
How to Mitigate CVE-2020-14147
Immediate Actions Required
- Upgrade Redis to version 6.0.3 or later immediately
- Restrict Lua script execution permissions using Redis ACLs where possible
- Audit existing Lua scripts for potentially malicious struct operations
- Consider disabling Lua scripting temporarily if upgrade cannot be performed immediately
Patch Information
Redis Labs has released version 6.0.3 which includes the security fix for this vulnerability. The patch is available through the GitHub Redis Commit and was merged via GitHub Redis Pull Request #6875.
Distribution-specific patches are available:
- Debian Security Advisory DSA-4731
- Gentoo GLSA 202008-17
- openSUSE Security Announcement
- Oracle CPU January 2021 Alert
Workarounds
- Implement strict Redis ACLs to limit which users can execute Lua scripts
- Use network segmentation to restrict access to Redis instances to trusted clients only
- Deploy Redis behind authentication and ensure strong credential policies
- Monitor and limit the complexity of Lua scripts allowed in production environments
# Configuration example - Restrict Lua script permissions via Redis ACL
# Create a user without Lua scripting capabilities
redis-cli ACL SETUSER restricted-user on >password ~keys:* +@read +@write -@scripting
# Verify ACL configuration
redis-cli ACL LIST
# Monitor for Lua script execution attempts
redis-cli MONITOR | grep -E "(EVAL|EVALSHA)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
