CVE-2020-14147 – This CVE describes an integer overflow vulnerab... (How to Fix)

Q: What is the severity of CVE-2020-14147?

CVE-2020-14147 has a CVSS score of 7.7 (HIGH). This CVE describes an integer overflow vulnerability in Redis's Lua sandbox that allows authenticated users with Lua execution permissions to trigger a stack-based buffer overflow. This can lead to denial of service (crash) or potentially bypass sandbox restrictions. Affects Redis instances where Lua scripting is enabled and users have execution permissions.

📋 TL;DR

This CVE describes an integer overflow vulnerability in Redis's Lua sandbox that allows authenticated users with Lua execution permissions to trigger a stack-based buffer overflow. This can lead to denial of service (crash) or potentially bypass sandbox restrictions. Affects Redis instances where Lua scripting is enabled and users have execution permissions.

💻 Affected Systems

Products:

Redis

Versions: All versions before 6.0.3

Operating Systems: All platforms running vulnerable Redis versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Lua scripting enabled (default) and user permissions to execute Lua scripts

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to arbitrary code execution, sandbox escape, and complete system compromise

🟠

Likely Case

Denial of service through Redis crash and potential data corruption

🟢

If Mitigated

No impact if Lua scripting is disabled or users lack execution permissions

🌐 Internet-Facing: MEDIUM - Requires authenticated Lua execution access, but Redis often exposed with default configurations

🏢 Internal Only: MEDIUM - Same requirements as internet-facing, but reduced attack surface

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access with Lua execution permissions. The vulnerability is a regression of CVE-2015-8080.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Redis 6.0.3 and later

Vendor Advisory: https://github.com/redis/redis/releases/tag/6.0.3

Restart Required: Yes

Instructions:

1. Backup Redis data and configuration. 2. Stop Redis service. 3. Upgrade to Redis 6.0.3 or later. 4. Restart Redis service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable Lua scripting

all

Prevents exploitation by disabling the vulnerable Lua execution functionality

redis-cli CONFIG SET lua-time-limit 0
redis-cli CONFIG SET user default on nopass ~* &* -@all +ping

Restrict Lua script permissions

all

Limit which users can execute Lua scripts to reduce attack surface

redis-cli ACL SETUSER <username> on ><password> ~* &* -@all +ping +eval

🧯 If You Can't Patch

Implement strict network access controls to limit Redis exposure
Disable Lua scripting entirely or restrict to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check Redis version and compare against vulnerable range (< 6.0.3)

Check Version:

redis-cli --version

Verify Fix Applied:

Confirm Redis version is 6.0.3 or later and test Lua script execution

📡 Detection & Monitoring

Log Indicators:

Redis crash logs
Unexpected Lua script execution patterns
Memory corruption errors

Network Indicators:

Unusual Lua script execution requests
Multiple failed Lua execution attempts

SIEM Query:

source="redis" AND ("crash" OR "segmentation fault" OR "lua" AND "overflow")

📊 Metadata

CVE ID: CVE-2020-14147

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-190

Published: June 15, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00058.html Mailing List,Third Party Advisory
https://github.com/antirez/redis/commit/ef764dde1cca2f25d00686673d1bc89448819571 Patch,Third Party Advisory
https://github.com/antirez/redis/pull/6875 Patch,Third Party Advisory
https://security.gentoo.org/glsa/202008-17 Third Party Advisory
https://www.debian.org/security/2020/dsa-4731 Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00058.html Mailing List,Third Party Advisory
https://github.com/antirez/redis/commit/ef764dde1cca2f25d00686673d1bc89448819571 Patch,Third Party Advisory
https://github.com/antirez/redis/pull/6875 Patch,Third Party Advisory
https://security.gentoo.org/glsa/202008-17 Third Party Advisory
https://www.debian.org/security/2020/dsa-4731 Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14147, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Communications Operations Monitor by Oracle

Debian Linux by Debian

Linux Enterprise by Suse

Redis by Redislabs

Redis by Redislabs

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Lua scripting

Restrict Lua script permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities