On July 9, 2019, Alibaba Cloud Security detected a remote code execution vulnerability in Redis 4.0 and 5.x versions. A new function module was added to Redis 4.0, and is enabled by default in later versions. Users can use C language to compile a .so file to execute system commands, which brings high risks.

On July 9, 2019, Cloud Firewall released a virtual patch for this vulnerability. We recommend that Redis users enable this virtual patch.

Impacted versions: Redis 4.0, Redis 5.0 and later

Policy: command execution

Risk level: high

Policy-based protection: A virtual patch is available in the Cloud Firewall console to defend against this vulnerability.