CVE-2022-0543: 
Redis vulnerability analysis and mitigation

CVE-2022-0543 is a Debian-specific Lua sandbox escape vulnerability in Redis, a persistent key-value database. The vulnerability was discovered by Reginaldo Silva and disclosed in February 2022. It affects Redis versions 5:5.0.14-1+deb10u1, redis/5:5.0.3-4, and redis/5:6.0.15-1 specifically on Debian, Ubuntu, and other Debian-derived Linux distributions. Notably, upstream Redis is not affected by this vulnerability (Ubercomp Blog).

The vulnerability exists because the Lua library in Debian is provided as a dynamic library, whereas upstream Redis statically links Lua. During interpreter initialization, a 'package' variable was automatically populated that permitted access to arbitrary Lua functionality, including the 'execute' function from the 'os' module. This implementation difference allowed for sandbox escape. The vulnerability has received a CVSS v3.1 base score of 10.0 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could allow an attacker with the ability to execute arbitrary Lua code to potentially execute arbitrary shell commands on the host system. This could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The vulnerability has been fixed in Redis versions 5:6.0.16-1+deb11u2 for Debian bullseye and 5:5.0.14-1+deb10u2 for Debian buster. The fix involves clearing the 'package' variable during Lua initialization. Users are recommended to upgrade their Redis packages to these versions or later (Debian Security Advisory).

Microsoft has confirmed that Azure Cache for Redis is not vulnerable to this CVE (Microsoft Q&A).