We're Applying The Redis Security Fix Now

Published

Redis users on Compose are being updated to Redis 2.8.21. Although it is a minor version update from 2.8.20 it includes a fix for a security issue that requires rapid attention. This morning, security researcher Ben Murphy gave details of a Lua sandbox escape that he had identified. Although there are many factors that mitigate the use of the escape, including using a strong password with your Redis deployment, the simple fact is that a vulnerability exists which could potentially be used as a step in a more complex attack.

Ben, to his credit, also released patches to the Lua sandbox for Redis 2.8.20 and 3.0.1 and Redis creator Salvatore Sanfilippo, aka Antirez, released new versions within hours, allowing Redis user to update as quickly as possible.

With that opportunity in mind, and for our own security and our customers, we decided to push the update to all our Compose Redis deployments. The update is limited to the Lua Sandbox fix and two other non-security fixes and should not create any compatibility issues.

If you have any questions about this update, contact support by email or through the Compose Dashboard support page.

Dj Walker-Morgan
Dj Walker-Morgan is Compose's resident Content Curator, and has been both a developer and writer since Apples came in II flavors and Commodores had Pets. Love this article? Head over to Dj Walker-Morgan’s author page to keep reading.

Conquer the Data Layer

Spend your time developing apps, not managing databases.