The Redis in-memory data structure store, a cornerstone of modern application architecture, faced a critical security vulnerability in early 2022 that exposed fundamental weaknesses in its Lua scripting subsystem. Designated CVE-2022-24735, this vulnerability allowed less-privileged users to inject code that could later execute with the elevated privileges of higher-privileged Redis users, creating a significant threat vector for multi-tenant deployments and shared hosting environments where Redis Access Control Lists (ACLs) were relied upon for security isolation.

Understanding the Vulnerability Mechanism

At its core, CVE-2022-24735 exploited the interaction between Redis's Lua scripting engine and its ACL system. When a user executes a Lua script in Redis, the script typically runs with the permissions of the user who invoked it. However, this vulnerability created a scenario where scripts could be manipulated to execute with different privileges than intended.

According to Redis's official security advisory, the issue stemmed from how Redis handled script caching and execution. When a script is loaded into Redis using the SCRIPT LOAD command, it receives a SHA1 digest that serves as its identifier. Subsequent executions using EVALSHA reference this digest. The vulnerability allowed a lower-privileged user to load a script, then through various manipulation techniques, cause that script to execute with the permissions of a different, higher-privileged user who later accessed the same script cache.

Technical Details and Attack Vectors

Research into CVE-2022-24735 reveals several specific attack vectors that emerged from this vulnerability:

Script Cache Pollution: An attacker with limited permissions could load malicious Lua scripts into Redis's script cache. When a privileged user later executed what appeared to be a legitimate script (via its SHA1 digest), they might inadvertently execute the attacker's code with elevated privileges.

Privilege Escalation Chains: The vulnerability enabled privilege escalation chains where an initial low-privilege access could be transformed into administrative control over the Redis instance. This was particularly dangerous in cloud environments where Redis instances might be shared between multiple applications or tenants.

Cross-Tenant Data Access: In multi-tenant deployments, this vulnerability could allow one tenant to access or modify another tenant's data, violating fundamental isolation guarantees that Redis ACLs were designed to enforce.

Impact Assessment and Severity

CVE-2022-24735 was rated with a CVSS score of 7.0 (High severity), reflecting its significant impact on confidentiality, integrity, and availability. The vulnerability affected Redis versions 3.2 through 7.0, covering a substantial portion of production deployments. Organizations using Redis with ACLs enabled for security isolation were particularly vulnerable, as the very mechanism designed to protect their data became a potential attack vector.

The Redis security team emphasized that this vulnerability specifically impacted deployments where:

  • Multiple users with different privilege levels accessed the same Redis instance
  • Lua scripting was enabled (which is the default configuration)
  • Script caching was utilized for performance optimization

Mitigation Strategies and Patches

Redis addressed CVE-2022-24735 through several coordinated approaches:

Official Patches: Redis released patches for affected versions, with the fix fundamentally changing how script execution permissions are handled. The patched versions ensure that scripts always execute with the permissions of the user who's currently executing them, regardless of how they were loaded into the cache.

Configuration Workarounds: For organizations unable to immediately patch, Redis provided temporary mitigation strategies including disabling Lua scripting entirely (though this impacts functionality) or implementing additional network-level isolation between different user classes.

ACL Reinforcement: The incident prompted recommendations to review and strengthen ACL configurations, with particular attention to minimizing script loading privileges and implementing principle of least privilege more rigorously.

Broader Security Implications for Database Systems

The discovery of CVE-2022-24735 highlighted several important security considerations for database and caching systems:

Scripting Engine Security: Lua scripting engines, while powerful for extending functionality, introduce complex security considerations. The Redis vulnerability demonstrated how subtle interactions between scripting, caching, and permission systems can create unexpected attack surfaces.

Multi-Tenancy Challenges: As Redis and similar systems are increasingly deployed in shared environments, the security of isolation mechanisms becomes critical. This vulnerability showed that even well-designed ACL systems can have edge cases that compromise tenant isolation.

Default Configuration Risks: The fact that Lua scripting is enabled by default in Redis meant that many deployments were vulnerable without administrators realizing their exposure. This underscores the importance of security-hardening default configurations in widely deployed software.

Best Practices for Redis Security Post-CVE-2022-24735

In response to this vulnerability, security experts have developed enhanced best practices for Redis deployments:

Regular Patching and Updates: Maintain a regular schedule for applying security patches to Redis instances. Automated vulnerability scanning should include Redis components in dependency checks.

Principle of Least Privilege Enforcement: Implement strict ACL policies that grant users only the minimum permissions necessary for their functions. Regularly audit and review these permissions.

Network Segmentation: Where possible, implement network-level isolation between different classes of Redis users, particularly separating administrative access from application access.

Monitoring and Auditing: Implement comprehensive logging of Redis commands, particularly focusing on script loading and execution events. Monitor for unusual patterns that might indicate attempted exploitation.

Vendor Security Advisories: Subscribe to security mailing lists for Redis and related technologies to receive immediate notification of emerging vulnerabilities.

The Future of Redis Security

The Redis development team has used lessons from CVE-2022-24735 to inform ongoing security improvements. Subsequent Redis releases have included enhanced security features and more robust isolation mechanisms. The incident has also spurred increased security research focus on in-memory data stores, leading to better understanding of their unique security challenges.

For organizations deploying Redis in production, the key takeaway from CVE-2022-24735 is that security in modern data systems requires continuous attention to both configuration and architecture. As Redis continues to evolve with features like Redis Stack and enhanced cluster capabilities, maintaining security vigilance remains essential for protecting sensitive data and ensuring system integrity.

Conclusion

CVE-2022-24735 served as a wake-up call for the Redis community about the complex security implications of scripting engines in multi-user database systems. While the immediate vulnerability has been patched, its discovery highlighted broader security considerations that continue to be relevant. Organizations using Redis should ensure they have applied the relevant patches, reviewed their security configurations, and implemented monitoring to detect potential security issues. As Redis maintains its position as a critical component in modern application architecture, understanding and addressing such vulnerabilities remains essential for maintaining secure, reliable systems.