CVE-2022-24736 is a vulnerability identified in Redis, an in-memory data structure store widely used as a database, cache, and message broker. The issue is a NULL pointer dereference (CWE-476) that occurs when an attacker attempts to load a specially crafted Lua script into Redis versions prior to 6.2.7 and 7.0.0. Lua scripting is a feature in Redis that allows users to execute scripts atomically on the server side, which is commonly used for complex operations and transaction-like behavior. The vulnerability causes the redis-server process to crash, leading to a denial of service (DoS) condition. This crash occurs because the server attempts to dereference a NULL pointer when processing the malicious Lua script, which is an invalid memory access. The problem has been resolved in Redis versions 6.2.7 and 7.0.0 by fixing the handling of Lua scripts to prevent the NULL pointer dereference. For environments where upgrading is not immediately feasible, a practical workaround is to disable Lua scripting by blocking the SCRIPT LOAD and EVAL commands via Redis Access Control Lists (ACLs), assuming Lua scripting is not required by the application. This mitigation prevents attackers from loading or executing malicious Lua scripts, thereby avoiding the crash. There are no known exploits in the wild targeting this vulnerability, and the attack requires the ability to send crafted Lua scripts to the Redis server, which typically implies some level of network access or compromised credentials. The vulnerability primarily impacts availability by causing service interruptions due to crashes, but does not directly compromise data confidentiality or integrity. Since Redis is often deployed in critical infrastructure and enterprise environments, this vulnerability can disrupt services relying on Redis for caching or data storage if exploited.

For European organizations, the primary impact of CVE-2022-24736 is the potential for denial of service through crashes of Redis servers. This can disrupt business-critical applications that depend on Redis for caching, session management, or real-time data processing. Industries such as finance, telecommunications, e-commerce, and public sector entities that rely on Redis for high availability and performance could experience service outages, leading to operational downtime and potential financial losses. While the vulnerability does not directly expose data or allow unauthorized data modification, the availability disruption can indirectly affect data processing workflows and customer-facing services. Organizations with Redis instances exposed to untrusted networks or with weak access controls are at higher risk. Additionally, if Redis is used in clustered or replicated configurations, repeated crashes could impact the stability of the entire data infrastructure. Given the medium severity and absence of known exploits, the immediate risk is moderate; however, the ease of causing a crash by sending crafted Lua scripts means attackers with network access or compromised credentials could exploit this vulnerability to cause service interruptions.

1. Upgrade Redis to version 6.2.7 or later, or 7.0.0 or later, as these versions contain the fix for the NULL pointer dereference vulnerability. 2. If upgrading is not immediately possible, implement ACL rules to block the SCRIPT LOAD and EVAL commands, effectively disabling Lua scripting. This is a practical workaround that prevents exploitation without requiring a patch. 3. Restrict network access to Redis servers by enforcing strict firewall rules and network segmentation to limit exposure to untrusted networks. 4. Implement strong authentication and authorization controls for Redis, including the use of ACLs to limit command execution to trusted users and applications. 5. Monitor Redis server logs and system metrics for abnormal crashes or restarts that could indicate attempted exploitation. 6. Regularly audit Redis configurations to ensure that Lua scripting is only enabled where necessary and that access controls are properly enforced. 7. Consider deploying Redis behind a proxy or gateway that can filter or block suspicious commands or malformed scripts. 8. Incorporate Redis vulnerability scanning into routine security assessments to detect outdated versions and misconfigurations.