Redis 3.2.x critical bug

All Redis 3.2.x versions are affected. It’s been already four days, but it’s better late, than never.

The gist is that using CONFIG SET calls (or by manipulating redis.conf) an attacker is able to compromise certain fields of the “server” global structure, including the aof filename pointer, that could be made pointing to something else. In turn the AOF name is used in different contexts such as logging, rename(2) and open(2) syscalls, leading to potential problems.
Please note that since having access to CONFIG SET also means to be able to change the AOF filename (and many other things) directly, this issue actual real world impact is quite small, so I would not panik: if you have CONFIG SET level of access, you can do more and more easily.

Redis 3.2.4 release is fixing the issue.


Vulnerability report by Talos: Vulnerability Spotlight: Redis CONFIG SET client-output-buffer-limit Code Execution Vulnerability


so, what does a common ERPNext user do now with this intofrmation?

  • sudo apt-get update redis
  • bench update

… ?

Well, first you have to check if you’re on 3.2.x branch. If that’s the case, then check your distro’s security announcement page for security update (e.g. for Debian Debian -- Security Information) and perform upgrade as soon possible, but it’s better to sign up for security announcement mail list or RSS feed to be up to date.
Versions 3.0 and 2.x are not vulnerable, so no need for actions to be taken.

Not sure if something has to be done via bench later.

Debian -- Security Information

interestingly lists no security update for redis (or do I misread that list?)

for my fellow dummies:

frappe@erpnext:~$ apt list --installed | grep redis

redis-server/trusty,now 2:2.8.4-2 i386 [installed]
redis-tools/trusty,now 2:2.8.4-2 i386 [installed,automatic]
frappe@erpnext:~$ sudo apt-get update && sudo apt-get upgrade redis-server redis-tools
redis-server is already the newest version.
redis-tools is already the newest version.

that’s on ubuntu 14.04. Oh and ‘yes’ … don’t forget to take a snapshot of your System before doing this. things may go wrong

It’s true. Probably the logic is that Debian stable (which has unaffected Redis 2.8.17) is supposed to be used on servers, but Sid and Stretch will be updated soon anyway.

You’re safe with 2.8.4