CVE-2022-40768 The stex_queuecommand_lck function lacks a memset for the PASSTHRU_CMD case, which allows local users to obtain sensitive information from kernel memory.
CVE-2018-14633: The further_check_cred function in the Redis key value cache (redis_key_value_cache) in Redis on Red Hat Enterprise Linux (RHEL) 7 and Red Hat Enterprise Linux (RHEL) 6 is vulnerable to an information leak, which could allow a local user to obtain sensitive information from kernel memory. Redis is a data structure store, frequently associated with databases and used as a data source, similar to SQL. Redis has a very active open source community, with many third party packages, including a key value cache. An information leak in the further_check_cred function in the Redis key value cache (redis_key_value_cache) in Redis on Red Hat Enterprise Linux (RHEL) 7 and Red Hat Enterprise Linux (RHEL) 6 could allow a local user to obtain sensitive information from kernel memory. Redis is a data structure store, frequently associated with databases and used as a data source, similar to SQL. Redis has a very active open source community, with many third party packages, including a key value cache. Redis is commonly used in clusters with high availability requirements, such as MariaDB and PostgreSQL, and the information leak may lead to data inaccessibility, which in turn may lead to data corruption. It is recommended to apply the following mitigations for this issue: Redis 5.0.x and earlier: Upgrade to 5.
References
* CVE-2022-40768
* CVE-2018-14633
Redis 3.x, 2.x and earlier
: Upgrade to 3.x.
Redis 4.0 and later: Upgrade to 4.0 or later.
Redis 5.0 and later: Upgrade to 5.0 or later.
Redis 6.x, 7.x, 8.x: A patch is available in the following repository: " https://github.com/redis/redis/releases
References:
1. https://access.redhat.com/security/cve/CVE-2018-14633
2. https://access.redhat.com/security/cve/CVE-2022-40768
Timeline
Published on: 09/18/2022 05:15:00 UTC
Last modified on: 09/21/2022 15:07:00 UTC
References
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/scsi/stex.c
- https://www.openwall.com/lists/oss-security/2022/09/09/1
- https://lore.kernel.org/all/20220908145154.2284098-1-gregkh@linuxfoundation.org/
- http://www.openwall.com/lists/oss-security/2022/09/19/1
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40768