CVE-2022-36021

Description

Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.

How to fix CVE-2022-36021

To remediate CVE-2022-36021, upgrade the affected package to a fixed version below.

• —upgrade to 6.0.18 or later
• —upgrade to 6.0.18 or later
• —upgrade to 6.0.18 or later
• —upgrade to 5:6.0.16-1+deb11u3 or later
• —upgrade to 5:5.0.14-1+deb10u3 or later

Is CVE-2022-36021 being exploited?

Likely — EPSS is 60.6%, placing CVE-2022-36021 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (5)

• from 0, < 6.0.18, >= 6.2.0, < 6.2.11, >= 7.0.0, < 7.0.9
• from 0, < 6.0.18, >= 6.2.0, < 6.2.11, >= 7.0.0, < 7.0.9
• from 0, < 6.0.18, >= 6.2.0, < 6.2.11, >= 7.0.0, < 7.0.9
• from 0, < 5:6.0.16-1+deb11u3
• from 0, < 5:5.0.14-1+deb10u3

CVSS scores

References (4)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-36021
• WEBgithub.com/redis/redis/commit/dcbfcb916ca1a269b3feef86ee86835294758f84
• WEBgithub.com/redis/redis/security/advisories/GHSA-jr7j-rfj5-8xqv
• WEBnvd.nist.gov/vuln/detail/CVE-2022-36021