Agreed, adding to this, if a malicious actor already has the ability to execute arbitrary LUA scripts on your redis instance, then you are probably already pretty screwed.

I've got nothing bad to say about the vuln research here, I'm sure it's a great bug, just this CVSS stuff is a farce and everyone seriously working in the field seems to agree, but we're just completely path-dependently locked in to it.

If the Lua "sandbox" is actually a decent sandbox, then the most you could do before was DoS the box. DoS <<<<< RCE

I see downvotes but no explanations why -- what is wrong with my claim?

I believe the context is that the CVE is that this bypasses the sandbox entirely; so in this specific case this is a real, full-blown RCE. Your comment makes it seem at a glance that you're saying it's a DOS at worse.

Thanks for replying, but my comment is not saying that at all -- it's pushing back on someone making the claim that the new CVE is no worse than what could already be done, by pointing out that what could already be done was (presumably) only a DoS, while the new CVE is full RCE.

I've reread my comment and the parent comment, and I don't understand how this is not clear?

The Lua interpreter in Redis doesn’t allow you to run regular code, you can’t event to “print”, not to talk about load libraries as in regular Lua interpreter. It’s a sanboxed one with very minimal operations you can do

The vulnerability appears to _be_ a Lua sandbox escape.

The number of redis setups out there which rely on user-uploaded lua scripts and the lua sandbox being sufficient for that has got to be... close to 0?

Like, the lua scripting feature is there for developers to write static trusted lua, check it in, and run transactional stuff etc, and so anyone uploading arbitrary user code as a script is already wildly outside of a normal use of redis.

Seems wild that something which requires using the thing wrong, and also which impacts close to 0 real deployments of the thing, gets a CVSS 10.

Bugs get whatever CVSS the marketing team for the discovering research lab wants them to get. It's literally a Ouija board.

But it says the lua script feature is open by default, so any authenticated (or 60k without auth) can run lua scripts -> use this RCE

Someone will probably worm this eventually and we'll see if it has any true impact.

How about companies providing Redis as a service?

IMO, this is rather poor reporting and feels a bit flashy for a security researcher to make a name for themselves.

While Redis seems vulnerable to this by default, most companies aren't deploying directly to the internet with terribly unsafe default configurations. Like, if you're vulnerable to this, you were already at major risk anyways.

The difference is meaningless. Both scores are high enough to warrant a significant response. For that, the score is fine.

Basically guaranteed RCE for vulnerable configurations - a severity of 10 seems apt.

The aspect that it's only impacting a small percentage of installations in practice does not factor into the severity calculation.

OTOH I'd question the "Privileges required: low" part of the CVSS table. While out-of-box redis is vulnerable, typical deployments are secured by at least a password. Exploitation would need authentication or a separate auth bypass.

Most in-house redis deployments are probably safu if deployed according to best practices but Redis-as-a-service operators want to be on top of this.

Look, I'm not trying to tell you it's not a severe vulnerability. I'm telling you that it is not of a caliber to rank among the most severe vulnerabilities ever discovered, which is what a CVSS score of 10 means. Shellshock, which did not get scored as a "10", is in the top tier of vulnerabilities, far more severe than this one by all appearances, and it too doesn't deserve a 10.

The point isn't anything to do with the vulnerability. It's this stupid scale.