CVE-2022-33105 – CVE-2022-33105 is a memory leak vulnerability i... (How to Fix)

Q: What is the severity of CVE-2022-33105?

CVE-2022-33105 has a CVSS score of 7.5 (HIGH). CVE-2022-33105 is a memory leak vulnerability in Redis v7.0's streamGetEdgeID component that allows attackers to cause denial of service by exhausting system memory. This affects Redis servers running vulnerable versions, particularly those exposed to untrusted clients or processing malicious stream commands.

📋 TL;DR

CVE-2022-33105 is a memory leak vulnerability in Redis v7.0's streamGetEdgeID component that allows attackers to cause denial of service by exhausting system memory. This affects Redis servers running vulnerable versions, particularly those exposed to untrusted clients or processing malicious stream commands.

💻 Affected Systems

Products:

Redis

Versions: Redis 7.0.0 through 7.0.1

Operating Systems: All operating systems running Redis

Default Config Vulnerable: ⚠️ Yes

Notes: All Redis 7.0.x installations are vulnerable regardless of configuration. The vulnerability is triggered by specific stream operations.

📦 What is this software?

Redis by Redis

View all CVEs affecting Redis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system memory exhaustion leading to Redis crash and denial of service, potentially affecting dependent applications and requiring server restart.

🟠

Likely Case

Gradual memory consumption increase over time, reducing available system resources and degrading Redis performance until manual intervention is required.

🟢

If Mitigated

Minimal impact with proper memory monitoring and resource limits in place, allowing for detection and remediation before service disruption.

🌐 Internet-Facing: MEDIUM - Requires specific stream commands to trigger, but exposed Redis instances could be targeted by attackers to cause DoS.

🏢 Internal Only: LOW - Internal Redis instances are less likely to receive malicious stream commands unless compromised internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific stream commands to Redis, which can be done by any client with access to the Redis server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Redis 7.0.2 and later

Vendor Advisory: https://github.com/redis/redis/commit/4a7a4e42db8ff757cdf3f4a824f66426036034ef

Restart Required: Yes

Instructions:

1. Download Redis 7.0.2 or later from redis.io. 2. Stop Redis service. 3. Install new version. 4. Start Redis service. 5. Verify version with 'redis-server --version'.

🔧 Temporary Workarounds

Disable Stream Commands

all

Use Redis ACL to restrict or disable stream-related commands for untrusted clients

ACL SETUSER untrusteduser -@stream

Memory Limit Configuration

all

Set maxmemory and eviction policy to prevent complete memory exhaustion

maxmemory 2gb
maxmemory-policy allkeys-lru

🧯 If You Can't Patch

Implement strict network access controls to limit Redis exposure to trusted clients only
Deploy memory monitoring with alerts for abnormal memory consumption patterns

🔍 How to Verify

Check if Vulnerable:

Check Redis version with 'redis-server --version' or 'redis-cli info server | grep redis_version'. If version is 7.0.0 or 7.0.1, system is vulnerable.

Check Version:

redis-server --version

Verify Fix Applied:

After patching, verify version is 7.0.2 or later using 'redis-server --version'. Monitor memory usage during normal operations.

📡 Detection & Monitoring

Log Indicators:

Abnormal memory usage patterns in Redis logs
Frequent memory allocation failures

Network Indicators:

Unusual volume of XADD, XRANGE, or other stream commands from single sources

SIEM Query:

source="redis.log" AND ("out of memory" OR "OOM" OR memory_usage>90%)

📊 Metadata

CVE ID: CVE-2022-33105

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

Published: June 23, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/redis/redis/commit/4a7a4e42db8ff757cdf3f4a824f66426036034ef Patch,Third Party Advisory
https://github.com/redis/redis/pull/10753 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/redis/redis/pull/10829 Exploit,Issue Tracking,Release Notes,Third Party Advisory
https://raw.githubusercontent.com/redis/redis/7.0.1/00-RELEASENOTES Release Notes,Third Party Advisory
https://security.gentoo.org/glsa/202209-17 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220729-0005/ Third Party Advisory
https://github.com/redis/redis/commit/4a7a4e42db8ff757cdf3f4a824f66426036034ef Patch,Third Party Advisory
https://github.com/redis/redis/pull/10753 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/redis/redis/pull/10829 Exploit,Issue Tracking,Release Notes,Third Party Advisory
https://raw.githubusercontent.com/redis/redis/7.0.1/00-RELEASENOTES Release Notes,Third Party Advisory
https://security.gentoo.org/glsa/202209-17 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220729-0005/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-33105, you might also want to check these: