CVE-2023-42809

Name of the Vulnerable Software and Affected Versions Redisson versions prior to 3.22.0

Description The issue concerns a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers can trick clients into communicating with a malicious server, including specially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on.

Recommendations For versions prior to 3.22.0, update to version 3.22.0 to resolve the issue. As a temporary workaround, consider restricting the allowed classes for deserialization by using the SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses) constructor. Avoid using the Kryo5Codec as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the setRegistrationRequired(false) call. Use KryoCodec as a safe alternative for deserialization.