CVE-2022-35977: 
Redis vulnerability analysis and mitigation

CVE-2022-35977 is a security vulnerability discovered in Redis, an in-memory database that persists on disk. The vulnerability was disclosed on January 20, 2023, affecting all versions of Redis prior to versions 7.0.8, 6.2.9, and 6.0.17. This vulnerability allows authenticated users to trigger an integer overflow by issuing specially crafted SETRANGE and SORT(_RO) commands (Redis Advisory, NVD).

The vulnerability is characterized by an integer overflow condition that occurs when processing specially crafted SETRANGE and SORT(_RO) commands. When exploited, this vulnerability can cause Redis to attempt to allocate impossible amounts of memory, leading to an Out of Memory (OOM) panic. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Moderate), with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The technical assessment indicates that the attack requires local access, low complexity, and low privileges, with no user interaction needed (Redis Advisory).

The primary impact of this vulnerability is on system availability. When successfully exploited, it can cause Redis to crash with an Out of Memory (OOM) panic, effectively creating a denial of service condition. The vulnerability does not affect data confidentiality or integrity, but specifically targets the availability aspect of the system (Redis Advisory).

The vulnerability has been patched in Redis versions 7.0.8, 6.2.9, and 6.0.17. Users are advised to upgrade to these versions or later to mitigate the vulnerability. The fix includes improvements to integer overflow checks in the SETRANGE and SORT commands implementation (Redis Release, Ubuntu Notice).

Microsoft acknowledged the vulnerability's impact on Azure Cache for Redis version 6, confirming that patches would be rolled out to address the issue (Microsoft QA).