CVE-2023-42809 – CVE-2023-42809 is a critical deserialization vu... (How to Fix)

Q: What is the severity of CVE-2023-42809?

CVE-2023-42809 has a CVSS score of 9.6 (CRITICAL). CVE-2023-42809 is a critical deserialization vulnerability in Redisson Java Redis client that allows remote code execution. Attackers who can redirect clients to a malicious Redis server can send specially crafted objects that, when deserialized, execute arbitrary code on the client machine. This affects all Redisson users prior to version 3.22.0 who communicate with untrusted Redis servers.

📋 TL;DR

CVE-2023-42809 is a critical deserialization vulnerability in Redisson Java Redis client that allows remote code execution. Attackers who can redirect clients to a malicious Redis server can send specially crafted objects that, when deserialized, execute arbitrary code on the client machine. This affects all Redisson users prior to version 3.22.0 who communicate with untrusted Redis servers.

💻 Affected Systems

Products:

Redisson

Versions: All versions prior to 3.22.0

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configurations when using certain codecs. Kryo5Codec remains vulnerable even after patching due to setRegistrationRequired(false).

📦 What is this software?

Redisson by Redisson

View all CVEs affecting Redisson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the client machine with full remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation and allowlisting, potentially only denial of service if deserialization fails safely.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to control or redirect Redis server communications. Public proof-of-concept exists in GitHub advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.22.0

Vendor Advisory: https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe

Restart Required: Yes

Instructions:

1. Update Redisson dependency to version 3.22.0 or later. 2. For Maven: Update pom.xml to <version>3.22.0</version>. 3. For Gradle: Update build.gradle to implementation 'org.redisson:redisson:3.22.0'. 4. Rebuild and redeploy application. 5. Restart affected services.

🔧 Temporary Workarounds

Use Safe Codec Configuration

all

Configure SerializationCodec with explicit allowlist of allowed classes for deserialization

new SerializationCodec(classLoader, allowedClassesSet)

Avoid Kryo5Codec

all

Do not use Kryo5Codec as it remains vulnerable even after patching

// Use KryoCodec instead of Kryo5Codec

🧯 If You Can't Patch

Implement network controls to ensure Redisson clients only communicate with trusted Redis servers
Use allowlisting with SerializationCodec constructor to restrict deserializable classes

🔍 How to Verify

Check if Vulnerable:

Check Redisson version in dependency files (pom.xml, build.gradle) or runtime with Redisson.getVersion()

Check Version:

Redisson.getVersion() or check dependency manifest files

Verify Fix Applied:

Confirm Redisson version is 3.22.0 or higher and verify codec configurations avoid Kryo5Codec

📡 Detection & Monitoring

Log Indicators:

Java deserialization errors
Unexpected ClassNotFoundException
Suspicious network connections to Redis

Network Indicators:

Unusual outbound connections from Java applications to Redis servers
Redis protocol traffic to unexpected destinations

SIEM Query:

source="*redisson*" AND (event="deserialization_error" OR event="ClassNotFoundException")

📊 Metadata

CVE ID: CVE-2023-42809

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-502

Published: October 4, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe Patch
https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/ Exploit,Third Party Advisory
https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe Patch
https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42809, you might also want to check these: