I. Overview

Redis released a security notice, saying that the BITFIELD command is vulnerable to integer overflow on the 32-bit Redis. Attackers can exploit this vulnerability to construct special commands to cause integer overflow and trigger remote code execution. This vulnerability affects only 32-bit Redis.

Redis is the most popular database. If you are a Redis 32-bit user, check your Redis version and implement timely security hardening.

Reference: https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

2.2 or newer

Secure versions:

5.0.13

6.0.15

6.2.5

IV. Security Recommendations

1. This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

2. If the upgrade cannot be performed in a timely manner, you can disable the BITFIELD command based on the suggestions provided Redis to mitigate risks. The command can be disabled using ACL in Redis 6.0 and later versions.

3. Use Redis 64-bit instead.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.