Lua Library in the Redis Server has security risk which is detected by our internal tool

52 views
Skip to first unread message

Veera Alagappan

unread,
Oct 18, 2021, 11:49:08 AM10/18/21
to Redis DB

Hi Redis Team,

I am Veerappan from Honeywell. We are using Redis Server version 6.2.5  in one of our project and that version has reported a Security Risk of Lua Library with version 5.1.5 by our internal binary scanning tool.

So, we tried updating the latest version of Redis which released this month v6.2.6 and it still uses the Lua Library with the same version 5.1.5.

Can you please let us know what is the fix plan to update the Lua Library with a non-vulnerable version that has no security risk?

We are holding our deliverables related to Redis to production because of this vulnerable detected.

So it would be really great, if you please let us know your fix plan for this vulnerable ASAP, upon which we can plan accordingly.

 

Thanks,

Veera

Itamar Haber

unread,
Oct 18, 2021, 11:52:32 AM10/18/21
to Redis DB
Hi Veerappan

Currently, there are no plans for upgrading the sandboxed Lua engine that Redis ships with. In a nutshell, newer versions of Lua are not backward compatible, so upgrading Redis to use these will cause breakage in production systems and require porting of existing scripts.

That said, we are not aware of any open security issues with the Redis-provided Lua sandbox. Reported issues of this type, in the past, were fixed directly in the Redis project.

I'm not familiar with your internal scanning tool, but I suspect that it provides you with a false positive just because of the reported Lua version. However, if the tool identified an actual security issue, please report it in private to the Redis core team by emailing at "redis at redis dot io".

Cheers,
Itamar

Veera Alagappan

unread,
Mar 7, 2022, 8:37:09 AM3/7/22
to Redis DB
Hi Itamer,
Sorry for turning back late. In continuation with the Lua library vulnerable issue, its not only detected by our tool.
This vulnerable is even reported in the National Vulnerability Database and it has the reported the following CWE (CVE-2021-44647) in the latest library also which is 5.4.4. 

The vulnerability chance is though low, considering this impact due you have any idea to upgrade this component or find alternative for this in the Redis?
 

Thanks,
Veera
Reply all
Reply to author
Forward
0 new messages