#VU67749 Memory leak in Redis - CVE-2022-33105

Cybersecurity Help s.r.o.

Published: 2022-09-29

Vulnerability identifier: #VU67749

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-33105

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Redis
Server applications / Database software

Vendor: Redis Labs

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak within the streamGetEdgeID component. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Redis: 7.0.0

External links
https://github.com/redis/redis/pull/10829
https://github.com/redis/redis/commit/4a7a4e42db8ff757cdf3f4a824f66426036034ef
https://github.com/redis/redis/pull/10753
https://raw.githubusercontent.com/redis/redis/7.0.1/00-RELEASENOTES
https://security.netapp.com/advisory/ntap-20220729-0005/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Redis

Denial of service in Redis