CVE-2022-24736 Overview
CVE-2022-24736 is a Null Pointer Dereference vulnerability affecting Redis, the popular in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker with the ability to execute Lua scripts can craft a specially designed script that triggers a NULL pointer dereference, causing the redis-server process to crash. This vulnerability enables a denial of service condition that can disrupt application availability for systems relying on Redis for caching, session management, or data storage.
Critical Impact
Attackers can crash Redis server instances by loading malicious Lua scripts, causing service disruption for dependent applications and potential data loss in non-persistent configurations.
Affected Products
- Redis versions prior to 6.2.7 and 7.0.0 (including 7.0 RC1, RC2, RC3)
- Fedora 34, 35, and 36 (containing vulnerable Redis packages)
- NetApp Management Services for Element Software and NetApp HCI
- Oracle Communications Operations Monitor versions 4.3, 4.4, and 5.0
Discovery Timeline
- April 27, 2022 - CVE-2022-24736 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-24736
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), which occurs when an application dereferences a pointer that it expects to be valid but is actually NULL. In the context of Redis, the Lua scripting engine processes user-supplied scripts to enable server-side logic execution. The vulnerability exists in the code path that handles specially crafted Lua scripts, where insufficient validation allows an attacker to trigger a code path that attempts to access memory through a NULL pointer.
When exploited, this causes an immediate crash of the redis-server process. While this vulnerability requires local access and low privileges to exploit, the impact on availability is high as it can completely halt Redis service operations without affecting confidentiality or integrity.
Root Cause
The root cause lies in insufficient input validation within Redis's Lua script processing engine. When parsing and executing certain malformed Lua script constructs, the code fails to properly check for NULL pointers before dereferencing them. This oversight allows attackers to craft Lua scripts that force the execution path into a state where a NULL pointer is accessed, immediately terminating the process.
The fix implemented in GitHub Pull Request #10651 adds proper NULL checks and validation to prevent the dereferencing of invalid pointers during Lua script execution.
Attack Vector
The attack requires local access to the Redis server with sufficient privileges to execute Lua scripts. An attacker can exploit this vulnerability through:
- Direct Script Loading: Using the SCRIPT LOAD command to load a malicious Lua script into the Redis script cache
- Script Evaluation: Using the EVAL command to directly execute a crafted Lua script
The attacker must have network access to the Redis server and authentication credentials (if enabled). Once these prerequisites are met, the attacker can send the malicious script which, when processed, triggers the NULL pointer dereference and crashes the server.
The vulnerability mechanism centers on how Redis handles certain edge cases in Lua script parsing. When a specially crafted script is submitted, it causes the internal script processing logic to reach a code path where a pointer variable remains uninitialized or is set to NULL, yet is subsequently dereferenced. This results in immediate process termination. For detailed technical information, refer to the GitHub Security Advisory GHSA-3qpw-7686-5984.
Detection Methods for CVE-2022-24736
Indicators of Compromise
- Unexpected redis-server process crashes or restarts in system logs
- Presence of unusual SCRIPT LOAD or EVAL commands in Redis audit logs
- Segmentation fault (SIGSEGV) entries in system logs associated with redis-server
- Spike in Redis connection attempts followed by immediate service failures
Detection Strategies
- Monitor Redis command logs for SCRIPT LOAD and EVAL commands from unexpected sources or with unusual patterns
- Implement process monitoring to detect unexpected redis-server terminations and rapid restart cycles
- Configure Redis slowlog and monitor for anomalous Lua script execution patterns
- Deploy network intrusion detection rules to identify potentially malicious Lua script payloads
Monitoring Recommendations
- Enable Redis ACL logging to track all script-related command execution
- Configure centralized log collection for Redis server logs with alerting on crash events
- Implement health checks that detect Redis service interruptions and alert operations teams
- Monitor system-level signals (SIGSEGV, SIGABRT) for the redis-server process
How to Mitigate CVE-2022-24736
Immediate Actions Required
- Upgrade Redis to version 6.2.7 or 7.0.0 or later immediately
- If upgrade is not immediately possible, implement ACL rules to restrict SCRIPT LOAD and EVAL commands
- Review and audit all users and applications with Redis script execution privileges
- Ensure Redis instances are not exposed to untrusted networks
Patch Information
Redis has released patched versions that address this vulnerability:
- Redis 6.2.7: GitHub Release 6.2.7 - Stable release with fix
- Redis 7.0.0: GitHub Release 7.0.0 - Major version with fix included
The fix is tracked in GitHub Pull Request #10651. Additional vendor-specific patches are available from Fedora Package Announcements, NetApp Security Advisory, and Oracle CPU July 2022.
Workarounds
- If Lua scripting is not required, block access to SCRIPT LOAD and EVAL commands using Redis ACL rules
- Implement network segmentation to restrict Redis access to trusted application servers only
- Enable Redis authentication (requirepass) if not already configured
- Consider using Redis Sentinel or Cluster mode for high availability to minimize impact of individual instance crashes
# Redis ACL configuration to block Lua scripting commands
# Add to redis.conf or execute via CONFIG SET
# Create a restricted user that cannot execute scripting commands
ACL SETUSER restricted_user on >password ~* +@all -SCRIPT -EVAL -EVALSHA
# Alternatively, modify the default user to block scripting
ACL SETUSER default on nopass ~* +@all -SCRIPT -EVAL -EVALSHA
# Verify ACL configuration
ACL LIST
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
