V-251250
Redis Enterprise 6.x Security Technical Implementation Guide
Title
Redis Enterprise DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.
Description
<VulnDiscussion>With respect to database management systems, one class of threat is known as code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of LUA and SQL. In such cases, the attacker deduces the manner in which code is processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where code is executed dynamically, the attacker is then ab...
Fix Text (Documentation Requirement)
Redis does not rely on a query language and there is no known method of SQL injection that would apply to Redis. Redis is a key value store and relies on commands that do not have a unified query language. Redis has an embedded LUA interpreter that is recommended to disable. To disable the interpreter run the following REST API command: curl -v -kL -u "<user>:<password>" --location-trusted -H "Content-type: application/json" -d '{ "disabled_commands": "EVAL, EVALSHA" }' -X PUT https://<URL>:PORT/v1/bdbs/<DB_ID>