Security Bulletin: Vulnerabilities in Redis affect IBM Event Streams (CVE-2022-24736, CVE-2022-24735)

Summary

There are a number of vulnerabilities in Redis that is used by IBM Event Streams.

Vulnerability Details

CVEID:CVE-2022-24736
**DESCRIPTION:**Redis is vulnerable to a denial of service, caused by a NULL pointer dereference. By loading a specially crafted Lua script, a local authenticated attacker could exploit this vulnerability to cause a crash of the redis-server process.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225345 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-24735
**DESCRIPTION:**Redis could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper validation of user-supplied input by the Lua script execution environment. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code with the potentially higher privileges of another Redis user on the system.
CVSS Base score: 3.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225346 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading

Upgrade to IBM Event Streams 11.0.4 by following the upgrading and migrating documentation.

Workarounds and Mitigations

None