Is redis impacted by CVE-2021-44228?
31 views
Skip to first unread message
Taylor Wrobel
Dec 18, 2021, 9:27:48 AM12/18/21
to Redis DB
There is a widespread log4j RCE vulnerability that was discovered today, denoted CVE-2021-44228.
Several sources online are listing Redis as an affected service, and most seem to reference the same attack surface repository on GitHub, which lists Redis with no further details - https://github.com/YfryTchsGD/Log4jAttackSurface
This doesn't make sense to me intuitively since Redis is written and C and the source makes no mention to log4j. I suspect either Redis was listed without verification and other sources have referenced it, or that reports are conflating Redis itself with the Jedis java client which does seem effected - https://github.com/redis/jedis/issues/2726.
Can I just get verification of the scope of impact on Redis core (hopefully none)?
Cheers,
- Taylor
Itamar Haber
Dec 18, 2021, 9:38:30 AM12/18/21
to Redis DB
Hey Taylor,
Redis core isn't impacted - it doesn't use Java in general, or log4j in particular.
Jedis' test suite was impacted and a new release was made.
Jedis' test suite was impacted and a new release was made.
More verbosely: https://redis.com/security/notice-apache-log4j2-cve-2021-44228/
Cheers,
Itamar
Reply all
Reply to author
Forward
0 new messages