ProHoster > Blog > nkhani zapaintaneti > Zowopsa mu Redis ndi Valkey zomwe zimalola kugwiritsa ntchito ma code pa seva yokhala ndi database

Zowopsa mu Redis ndi Valkey zomwe zimalola kugwiritsa ntchito ma code pa seva yokhala ndi database

Ofufuza ochokera ku Wiz apeza chiwopsezo (CVE-2025-49844) mu Redis database management system (DBMS) yomwe imalola kupha ma code akutali (RCE) pa seva. Nkhaniyi yapatsidwa gawo lalikulu kwambiri (CVSS mphambu 10 mwa 10). Kuti agwiritse ntchito chiwopsezochi, wowukirayo ayenera kutumiza mafunso ku kasamalidwe ka database ya Redis yomwe imalola kuti zolemba za Lua zizichitika.

Kuphatikiza pazochitika za Redis zopezeka pagulu zomwe zimapereka mwayi wosadziwika, kusatetezeka kumalola kusokonekera kwa machitidwe amtambo ndi nsanja zochitira zothandizira Redis. Malinga ndi Wiz, sikani ya netiweki idavumbulutsa pafupifupi ma seva 330 a Redis omwe amavomereza kulumikizana, pomwe pafupifupi 60 amavomereza zopempha popanda kutsimikizika. Chithunzi chovomerezeka cha Docker choperekedwa ndi pulojekiti ya Redis chimakonzedwa kuti chifikire mosavomerezeka mwachisawawa.

Chiwopsezocho chimayamba chifukwa cha cholakwika chogwiritsa ntchito pambuyo pake, chomwe chimachitika poyendetsa zonyansa kuchokera pamawu opangidwa mwapadera a Lua. Nkhaniyi imalola Redis kudutsa sandbox kudzipatula kwa malo a Lua ndikuchita ma code pa host host ndi mwayi wa wogwiritsa ntchito momwe databaseyo ikuyendera. Chochititsa chidwi n’chakuti, chilemacho chinakhalabe chosazindikirika kwa zaka 13. Ofufuza omwe adapeza nkhaniyi awonetsa kugwirira ntchito, koma zambiri zomwe zagwiritsidwa ntchito sizikuwululidwa kuti zilole nthawi yoti zigamba zikhazikitsidwe.

Kufooka kumeneku kumawonekeranso mu pulojekiti ya Valkey, yomwe imapanga foloko ya Redis, yomwe imaperekedwa m'magawidwe ambiri. Linux, kuphatikizapo RedHat Enterprise Linux 10. Chiwopsezochi chimakhazikika mu Redis 8.2.2, 8.0.4, 7.4.6, 7.2.11, ndi 6.2.20, komanso mu Valkey 8.1.4, 8.0.6, ndi 7.2.11. Mutha kuwona momwe phukusi latsopano lilili kapena kukonzekera kwa chigamba m'magawo patsamba lotsatirali: Debian, Ubuntu, Fedora, SUSE/openSUSE, RHEL, Gentoo, Arch, FreeBSD, OpenBSD, ndi NetBSD. Monga njira yothetsera vutoli, mutha kuletsa kugwiritsa ntchito script ya Lua mu DBMS mwa kuletsa malamulo a EVAL ndi EVALSHA kudzera mu ma ACL.

Kuphatikiza apo, ziwopsezo zina zitatu zomwe zimagwiritsidwa ntchito pogwiritsa ntchito zolemba za Lua ndizoyenera kudziwa, zomwe zakhazikitsidwa m'matembenuzidwe aposachedwa a Redis ndi Valkey. Kuti mulambalale zowopsa izi, mabanja olamula a EVAL ndi FUNCTION atha kuyimitsidwa kudzera pa ma ACL.

  • CVE-2025-46817 - Kuchuluka kwa manambala mu ntchito za laibulale ya Lua kungathe kuloleza kugwiritsa ntchito ma code mosasamala kanthu. Seva pamene mukugwiritsa ntchito ma Lua scripts opangidwa mwapadera.
  • CVE-2025-46819 ndi cholakwika chomwe chimapangitsa kuti anthu aziwerenga mopitilira malire akamalemba zolemba za Lua zopangidwa mwaluso. Chiwopsezo ichi chitha kugwiritsidwa ntchito kuti chiwononge dongosolo la seva ya Redis.
  • CVE-2025-46818 - Kutha kutsata malamulo malinga ndi wogwiritsa ntchito wina wa DBMS posintha zinthu za LUA kuchokera palemba lopangidwa mwapadera la Lua.

Source: opennet.ru

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster