CVE-2024-31449 (High), CVE 2024-31227 (Moderate), and CVE 2024-31228 (Moderate)

Trust Center

Start your security review
View & download sensitive information
Search items
ControlK

Our commitment to data privacy and security is embedded in every part of our business. The information on in this portal is intended to help customers better understand the security features and configurations of Redis Enterprise products as well as Redis’ commitment to security and privacy.

Knowledge Base (FAQ)

Trust Center Updates

CVE-2024-31449 (High), CVE 2024-31227 (Moderate), and CVE 2024-31228 (Moderate)

VulnerabilitiesCopy link

As part of an ongoing effort by the Redis Community and Redis to maintain Redis’ safety, security, and compliance posture, three security vulnerabilities in Redis have been published recently.

The vulnerabilities are: CVE-2024-31449 (High), CVE 2024-31227 (Moderate), and CVE 2024-31228 (Moderate).

Redis Cloud has already been updated with all the required fixes, so customers need not take further action. Redis has found no evidence of exploitation of this vulnerability in Redis Cloud or customer environments.

We encourage all Redis Software, Redis Community Edition, Redis OSS, and Redis Stack customers to upgrade to a release that includes the fix per the cadence required by their security best practices in light of the CVE severity.

We thank the security research community for helping us keep Redis secure!

For additional information, please refer to: https://redis.io/blog/security-advisory-cve-2024-31449-cve-2024-31227-cve-2024-31228/

Published at N/A

Redis Achieves CSA STAR Level 2 Certification: A Milestone in Cloud Security and Trust

ComplianceCopy link

We are thrilled to announce that Redis Cloud has successfully achieved the CSA STAR Level 2 certification, a rigorous, third-party independent assessment of a cloud service provider's security posture, marking a noteworthy milestone in our ongoing commitment to providing secure and trustworthy cloud services.

Achieving this certification demonstrates that Redis Cloud has met the stringent requirements of the Cloud Security Alliance's (CSA) Cloud Controls Matrix (CCM), which is recognized globally as a benchmark for cloud security.

This certification is not just a testament to our robust security measures but also reflects our commitment to transparency and accountability in how we manage and protect our customers' data, providing our customers with the assurance they need to trust us with their most critical data.

We would like to extend our gratitude to our dedicated teams across Redis whose cooperation and hard work made this achievement possible. Their commitment to excellence and security has been instrumental in reaching this milestone.

All of our CSA STAR Level 2 certification documents are available on the Redis Trust Center or you can reach out to your account representative with any inquiries.

Published at N/A*

Protecting Access to your Redis Cloud Account

GeneralCopy link

Threat actors are increasingly targeting cloud-based services by attempting to take over customer accounts using stolen customer account credentials. Google Cloud’s 2023 Threat Horizons Report observed that 86% of data breaches last year (2023) involved stolen credentials, and this year (2024) appears no different.

As a Redis Cloud customer, you have several options available to you to help secure access to your account. As a first step, some basic steps you should take include:

  1. Enforce multi-factor authentication on your Redis Cloud account.
  2. Set up appropriate network policies to allow only authorized/trusted traffic to your cluster.
  3. Disable any Redis Cloud user accounts that are no longer active.

To assist with managing your Redis Cloud security posture at enterprise scale, we offer numerous cloud configuration options*, such as CIDR allow lists, VPC peering, Private Service Connect, Single Sign-on (SAML) integration, and more. The Redis Docs Center provides additional detail on customer security configuration options.

As part of our shared responsibility model, Redis Cloud customers are responsible for securing customer-facing access to their accounts. If you require additional information, customers that have Support Services can open a support ticket for assistance.

*Some network configuration options may only be available for certain Redis Cloud subscription levels. Contact your Redis Sales Representative if you have subscription-related questions.

Published at N/A*

Spinning YARN: Redis Protection Information

VulnerabilitiesCopy link

Security researchers at Cado Security have identified another campaign and malware variant targeting Redis in the wild. In their recently published blog post, they detail 4 variants of Golang malware they have observed targeting Docker, Hadoop YARN, Confluence, and Redis.

Specific to Redis, they describe how (yet again) these malware variants require the attacker to connect to the target Redis server in order to be successful; there is no exploit or new vulnerability involved. This initial entry takes advantage of open-source Redis instances that have been misconfigured and left in an insecure, non-default state, specifically servers that are configured with weak authentication or are compromised via other means (eg. leaked or stolen credentials).

We want to emphasize that this attack does not exploit any vulnerabilities in the Redis application itself and can be prevented by following security best practices and recommendations. Additionally, specific features in Redis Enterprise add additional protections against the novel methods found in these new malware variants. Check out this article for 5 basic steps you can take to help prevent these types of attacks, and visit our open source and commercial software documentation sites for a full list of available security controls and settings.

Published at N/A

Migo: Redis Protection Information

VulnerabilitiesCopy link

Security researchers at BleepingComputer recently published an article detailing research from Cado Security on a piece of malware called ‘Migo’ that targets Redis servers and uses them to mine cryptocurrency. In the article, they describe how Migo requires the attacker to connect to the target Redis server in order to be successful; there is no exploit or new vulnerability involved. This initial entry takes advantage of open-source Redis instances that have been misconfigured and left in an insecure, non-default state, specifically servers that are configured with weak authentication or are compromised via other means (eg. leaked or stolen credentials).

We want to emphasize that this attack does not exploit any vulnerabilities in the Redis application itself and can be prevented by following security best practices and recommendations. Additionally, specific features in Redis Enterprise add additional protections against the novel methods employed by Migo. Check out this article for 5 basic steps you can take to help prevent these types of attacks, and visit our open source and commercial software documentation sites for a full list of available security controls and settings.

Published at N/A*

If you think you may have discovered a vulnerability, please send us a note.

Powered bySafeBase Logo