Redis Output Buffer Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Redis, an open-source in-memory database that persists data on disk. This issue affects Redis versions 2.6 and later, up to but not including 7.4.3. The vulnerability allows an unauthenticated client to cause unlimited growth of output buffers, leading to excessive memory consumption until the server runs out of resources or is terminated. By default, Redis does not impose limits on the output buffers of regular clients, which can result in gradual memory exhaustion. Even when password authentication is enabled on the Redis server, an unauthenticated client can exploit this vulnerability by causing the output buffer to swell with 'NOAUTH' responses, further depleting system memory.

Impact

Exploitation of this vulnerability can cause the Redis server to run out of memory, leading to service disruption as the exhausted memory becomes unavailable. In some cases, the server may be killed to free up resources.

Remediation

Users can upgrade to Redis version 7.4.3 or later, where this vulnerability has been patched. For those using Redis versions prior to 7.4.3, an alternative workaround is to block access to the Redis server for unauthenticated clients. This can be achieved using network access control tools such as firewalls or iptables, or by enabling TLS and requiring client-side certificate authentication.