CVE-2021-32626
168 views
Skip to first unread message
Johannes
Nov 30, 2021, 5:17:31 AM11/30/21
to Jedis
Hi,
Our OWASP vulnerability scanner reports CVE-2021-32626 for Jedis:
jedis-3.7.0.jar (pkg:maven/redis.clients/je...@3.7.0, cpe:2.3:a:redis:redis:3.7.0:*:*:*:*:*:*:*) : CVE-2021-32626
jedis-3.7.0.jar (pkg:maven/redis.clients/je...@3.7.0, cpe:2.3:a:redis:redis:3.7.0:*:*:*:*:*:*:*) : CVE-2021-32626
Has anybody also seen this? I am not sure why this vulnerability is raised since it is for Redis server as far as I understand it.
Thank you.
Regards,
Johannes
Oscar Besga
Nov 30, 2021, 10:48:31 AM11/30/21
to Jedis
Here https://nvd.nist.gov/vuln/detail/CVE-2021-32626
It explains that some versions of redis can have problems with Lua scripts , and a stack overflow attack can be done
Fixed in redis 6.2.6, 6.0.16 and 5.0.14
Maybe Lua sanitizacion should be done ?
Also, redis jar its clean (( at least jedis-3.7.0.jar (from here https://search.maven.org/artifact/redis.clients/jedis/3.7.0/jar) ))
https://www.virustotal.com/gui/file/2bfa2cc3ef6ae1ca14a1d51a5e5f31ab7aeede7da5f1c6fd198a992b27ba9aab
See ya !
Johannes
Nov 30, 2021, 11:20:22 AM11/30/21
to Jedis
Hi Oscar,
Thanks for your comment.
If I use Jedis 3.7.0 that connects to a Redis server that has fixed the issue from the vulnerability, I guess I should be fine. I am wondering though why Jedis is in the scope of this vulnerability.
What could be the reason that the OWASP vulnerability scanner considers Jedis to be in the scope of CVE-2021-32626? Is the CVE maybe not correctly defined?
Thank you.
Regards,
Johannes
Oscar Besga
Nov 30, 2021, 11:51:08 AM11/30/21
to jedis...@googlegroups.com
Don't know the details, but if you use a Lua script on Redis and apply user-data entries (like a form on a webpage), it would be a good idea to sanitize it.
Like SQL-INJECTION, think of LUA-INJECTION
For example someone can send you a form with a FirstName like
Jonh"); redis.call("KEYS"); #
and force the page to return all database keys and slow a lot your redis instance
Or
Robert"); redis.call("FLUSHDB"); #
And you're lost
Anyone know how to sanitize Lua ?
XKCD Reference ! 😊
--
You received this message because you are subscribed to a topic in the Google Groups "Jedis" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jedis_redis/Xs7fud3CAIo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jedis_redis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jedis_redis/156ba2d8-d54a-41a1-8653-1ee0aed70e6bn%40googlegroups.com.
Johannes
Dec 1, 2021, 7:02:28 AM12/1/21
to Jedis
Ok, thanks for explaining.
This type of scenario is not possible in our case since we submit only 'hard-coded' Redis commands in the application.
We use the OWASP dependency check plugin ( https://plugins.gradle.org/plugin/org.owasp.dependencycheck ) to check for vulnerabilities. Since CVE-2021-32626 is reported there, what is a clean way to resolve this? Will Jedis 4.0 help address this?
Thank you.
Johannes
Reply all
Reply to author
Forward
0 new messages