Malformed ACL Selector Causes Server Panic and Denial of Service in Redis

CVE-2024-51741

What is CVE-2024-51741?

CVE-2024-51741 is a vulnerability found in Redis, an open-source, in-memory database solution designed for fast data storage and retrieval. This specific vulnerability arises from the ability of an authenticated user with sufficient privileges to create a malformed Access Control List (ACL) selector, which can lead to a server panic, ultimately resulting in a Denial of Service (DoS). The consequences of this vulnerability can severely impact organizations relying on Redis for their database needs, as it could disrupt service availability and lead to operational downtime.

Technical Details

The core issue of CVE-2024-51741 lies in how Redis handles malformed ACL selectors. When an authenticated user exploits this flaw, the system initiates a panic state, causing the Redis server to crash. This behavior disrupts all ongoing operations and prevents legitimate access to the database, effectively paralyzing applications that depend on Redis. The vulnerability has been addressed and resolved in Redis versions 7.2.7 and 7.4.2.

Potential Impact of CVE-2024-51741

1. Denial of Service: The primary impact of this vulnerability is the potential for a complete Denial of Service (DoS), where affected Redis instances become unresponsive, leading to significant service disruption for applications relying on this database.

2. Operational Downtime: Due to the server panic triggered by this vulnerability, organizations may face prolonged periods of operational downtime, which can affect productivity and service delivery, resulting in financial losses.

3. Increased Security Risks: The presence of this vulnerability in a production environment could enable malicious actors to exploit it, leading to further security issues, including potential unauthorized access to sensitive data if left unmitigated.

References