CVE-2022-24735 Overview
CVE-2022-24735 is a Code Injection vulnerability affecting Redis, the popular in-memory database. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the potentially higher privileges of another Redis user. This vulnerability became particularly significant with the introduction of ACLs (Access Control Lists) in Redis 6.0, as these weaknesses can now be exploited by less privileged users to inject malicious Lua code that executes later when a privileged user runs a Lua script.
Critical Impact
Attackers with low-privilege Redis access can inject Lua code that executes with elevated privileges when higher-privileged users run Lua scripts, potentially leading to complete database compromise and unauthorized data access.
Affected Products
- Redis versions prior to 7.0.0 and 6.2.7
- Fedora 34, 35, and 36
- NetApp Management Services for Element Software
- NetApp Management Services for NetApp HCI
- Oracle Communications Operations Monitor 4.3, 4.4, and 5.0
Discovery Timeline
- April 27, 2022 - CVE-2022-24735 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-24735
Vulnerability Analysis
The vulnerability exists within the Lua script execution environment of Redis. The Lua scripting feature in Redis provides measures intended to prevent scripts from creating persistent side effects that could affect the execution of the same or different scripts at a later time. However, several weaknesses in these protective measures have been publicly known for an extended period.
Prior to Redis 6.0, these weaknesses had no security implications because the Redis security model did not include the concept of users or privileges. With the introduction of Access Control Lists (ACLs) in Redis 6.0, the security landscape changed significantly. Now, attackers with lower privilege levels can exploit these weaknesses to inject Lua code that persists and executes when a more privileged user subsequently runs a Lua script.
Root Cause
The root cause is classified as CWE-94 (Improper Control of Generation of Code - Code Injection). The fundamental issue lies in the insufficient isolation of the Lua script execution environment. The measures designed to prevent scripts from creating persistent side effects that could influence future script executions are inadequate. When combined with the ACL system introduced in Redis 6.0, this allows privilege escalation through carefully crafted Lua code injection.
Attack Vector
The attack requires local access and user interaction. An attacker must first gain access to a Redis instance with at least minimal privileges. The attacker then injects malicious Lua code that exploits the weak isolation in the Lua execution environment. This injected code remains dormant until a user with higher privileges executes a Lua script, at which point the malicious code runs with the elevated privileges of that user.
The attack flow proceeds as follows: The attacker uses commands like SCRIPT LOAD or EVAL to introduce malicious Lua code into the Redis environment. The malicious payload exploits weaknesses in how Redis prevents side effects from persisting across script executions. When a privileged user later executes any Lua script, the injected code executes with their elevated permissions, potentially granting the attacker unauthorized access to data or functionality.
Detection Methods for CVE-2022-24735
Indicators of Compromise
- Unusual or unauthorized use of SCRIPT LOAD or EVAL commands by low-privilege users
- Unexpected Lua script execution patterns or errors in Redis logs
- Privilege escalation attempts detected in Redis ACL audit logs
- Anomalous data access patterns following Lua script execution by privileged users
Detection Strategies
- Monitor Redis command logs for SCRIPT LOAD and EVAL commands from unexpected users or sources
- Implement alerting on ACL violations or unusual privilege usage patterns in Redis
- Review Redis slow log and command statistics for anomalous Lua scripting activity
- Deploy endpoint detection solutions capable of monitoring Redis process behavior and script execution
Monitoring Recommendations
- Enable Redis logging with sufficient verbosity to capture command execution details
- Configure SIEM rules to correlate Redis command patterns with user privilege levels
- Establish baseline Lua script usage patterns and alert on deviations
- Monitor for Redis version information to ensure vulnerable instances are identified
How to Mitigate CVE-2022-24735
Immediate Actions Required
- Upgrade Redis to version 7.0.0 or 6.2.7 or later immediately
- If immediate patching is not possible, implement ACL rules to block SCRIPT LOAD and EVAL commands for untrusted users
- Audit current Redis ACL configurations to ensure proper privilege separation
- Review Redis access patterns to identify potentially compromised instances
Patch Information
Redis has released fixed versions addressing this vulnerability. Version 7.0.0 and version 6.2.7 contain the security patches. Organizations should upgrade to these versions or later as the primary remediation strategy. Detailed information about the fixes can be found in the GitHub Security Advisory GHSA-647m-2wmq-qmvq and the GitHub Pull Request. Additional vendor advisories are available from Oracle, NetApp, and Gentoo.
Workarounds
- If Lua scripting is not required, block access to SCRIPT LOAD and EVAL commands using ACL rules
- Restrict Redis network access to trusted hosts and users only
- Implement network segmentation to limit exposure of Redis instances
- Consider running Redis with minimal privileges and in isolated environments
# ACL configuration to block Lua scripting commands for untrusted users
# Add to redis.conf or apply via ACL SETUSER command
ACL SETUSER untrusted_user -@scripting
# Or specifically block SCRIPT LOAD and EVAL
ACL SETUSER untrusted_user -SCRIPT|LOAD -EVAL -EVALSHA
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
