CVE-2023-22458 Overview
CVE-2023-22458 is an Integer Overflow vulnerability affecting Redis, the popular in-memory database that persists on disk. Authenticated users can exploit this vulnerability by issuing HRANDFIELD or ZRANDMEMBER commands with specially crafted arguments, triggering an assertion failure that crashes the Redis server, resulting in a denial-of-service condition.
Critical Impact
Authenticated attackers can crash Redis servers by exploiting integer overflow conditions in the HRANDFIELD and ZRANDMEMBER commands, causing service disruption for all connected applications.
Affected Products
- Redis versions 6.2 up to but not including 6.2.9
- Redis versions 7.0 up to but not including 7.0.8
Discovery Timeline
- 2023-01-20 - CVE-2023-22458 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-22458
Vulnerability Analysis
This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The flaw exists in the handling of the count argument for the HRANDFIELD and ZRANDMEMBER Redis commands when used with the WITHVALUES or WITHSCORES options respectively. When an authenticated user provides an extremely large count value that exceeds the safe integer range boundaries, the internal multiplication operations can cause integer overflow conditions that lead to assertion failures within the Redis codebase.
The vulnerability requires local access and low privileges (authentication to Redis), with no user interaction needed. The impact is limited to availability—there is no compromise of confidentiality or integrity. Despite the medium severity classification, this vulnerability has a notably high EPSS probability of 67.77% (98.55th percentile), indicating significant exploitation likelihood in the wild.
Root Cause
The root cause is insufficient validation of the count parameter before internal arithmetic operations. When the WITHVALUES flag is present for HRANDFIELD or the WITHSCORES flag is present for ZRANDMEMBER, the count value undergoes multiplication operations without proper bounds checking. Values near LONG_MAX or LONG_MIN can overflow when multiplied, causing the assertion to fail and crashing the Redis process.
Attack Vector
An attacker with valid Redis authentication credentials can craft malicious commands targeting the vulnerable functions. The attack requires sending HRANDFIELD or ZRANDMEMBER commands with extreme count values combined with the optional flags (WITHVALUES or WITHSCORES). Since the vulnerability is local (requires authenticated access), the attack surface is limited to users who already have Redis credentials, but in shared hosting or multi-tenant environments, this could allow one authenticated user to disrupt service for all other users.
// Security patch in src/t_hash.c - Fix range issues in ZRANDMEMBER and HRANDFIELD
// Source: https://github.com/redis/redis/commit/16f408b1a0121cacd44cbf8aee275d69dc627f02
if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) {
addReplyErrorObject(c,shared.syntaxerr);
return;
- } else if (c->argc == 4)
+ } else if (c->argc == 4) {
withvalues = 1;
+ if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+ addReplyError(c,"value is out of range");
+ return;
+ }
+ }
hrandfieldWithCountCommand(c, l, withvalues);
return;
}
// Security patch in src/t_zset.c - Fix range issues in ZRANDMEMBER and HRANDFIELD
// Source: https://github.com/redis/redis/commit/16f408b1a0121cacd44cbf8aee275d69dc627f02
if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) {
addReplyErrorObject(c,shared.syntaxerr);
return;
- } else if (c->argc == 4)
+ } else if (c->argc == 4) {
withscores = 1;
+ if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+ addReplyError(c,"value is out of range");
+ return;
+ }
+ }
zrandmemberWithCountCommand(c, l, withscores);
return;
}
Detection Methods for CVE-2023-22458
Indicators of Compromise
- Unexpected Redis server crashes or restarts with assertion failure messages in logs
- Redis log entries showing HRANDFIELD or ZRANDMEMBER commands with unusually large count parameters
- Repeated connection attempts from specific clients followed by server crashes
- Assertion failure stack traces in Redis crash logs mentioning t_hash.c or t_zset.c
Detection Strategies
- Monitor Redis logs for assertion failures and unexpected process terminations
- Implement command logging via Redis MONITOR or slowlog to track suspicious HRANDFIELD/ZRANDMEMBER usage
- Set up process monitoring to detect Redis crashes and automatic restarts
- Deploy network-level monitoring to identify anomalous Redis command patterns from authenticated users
Monitoring Recommendations
- Configure alerting on Redis process restarts or crashes using your monitoring solution
- Enable Redis slowlog with appropriate thresholds to capture command execution patterns
- Implement log aggregation and analysis for Redis assertion failure patterns
- Monitor Redis availability metrics to quickly detect denial-of-service conditions
How to Mitigate CVE-2023-22458
Immediate Actions Required
- Upgrade Redis to version 6.2.9 or later for the 6.2.x branch
- Upgrade Redis to version 7.0.8 or later for the 7.0.x branch
- Review Redis authentication credentials and restrict access to trusted users only
- Implement network segmentation to limit who can connect to Redis instances
Patch Information
Redis has released patched versions that address this vulnerability. The fix adds boundary validation for the count parameter when WITHVALUES or WITHSCORES flags are present, ensuring values are within the safe range of LONG_MIN/2 to LONG_MAX/2 before proceeding with command execution.
- Redis 6.2.9 Release - Contains the security fix for 6.2.x branch
- Redis 7.0.8 Release - Contains the security fix for 7.0.x branch
- Security Patch Commit - Direct commit implementing the fix
- GitHub Security Advisory GHSA-r8w2-2m53-gprj - Official security advisory with full details
Workarounds
- There are no known workarounds for this vulnerability according to the vendor advisory
- Upgrading to the patched versions is the only remediation method available
- As a defense-in-depth measure, restrict Redis network access and enforce strong authentication
# Verify your Redis version to determine if you're vulnerable
redis-cli INFO server | grep redis_version
# After upgrading, verify the patched version is running
# For 6.2.x branch: should show 6.2.9 or higher
# For 7.0.x branch: should show 7.0.8 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
