Beware! Critical Code Injection Vulnerability Found in Popular Java Redis Client Redisson

CVECVE-2023-42809
CVSScvssV3_1: 9.7
SourceCVE-2023-42809

Redisson is a widely used Java library for connecting to Redis servers. Researchers have discovered a serious deserialization vulnerability that could allow attackers to execute arbitrary code on systems using vulnerable versions of Redisson.

The issue arises because Redisson deserializes objects received from Redis without validation. A malicious actor with access to the Redis server could craft special objects that, when deserialized, would run malicious code on the client system. This could result in a full remote code execution attack.

Versions of Redisson prior to 3.22.0 are affected. To exploit it, an attacker would need to trick a target into connecting their Redisson client to a compromised Redis server controlled by the attacker.

The good news is Redisson developers have released version 3.22.0 which patches the vulnerability. Users are urged to upgrade immediately. Additionally, it’s recommended to use the KryoCodec serialization codec instead of Kryo5Codec as the latter remains vulnerable. When using SerializationCodec, only allow deserialize known safe classes as a precaution.

By taking steps to upgrade Redisson and carefully configure object serialization, users can help protect themselves against this critical remote code injection vulnerability. Staying on top of software updates is key for any system interacting with external data sources like Redis.

References