Description
The Redis service was exposed to have a vulnerability that may be maliciously exploited by attackers because of improper configuration.
With Redis’s built-in commands, hackers can maliciously delete all existing data. If Redis is run with the root account, hackers can write SSH public key files to the server and directly log on to the server.
Affected versions
Redis servers that are open to the Internet and have not enabled authentication for access
Fix
Note: You must restart Redis to bring the changes into effect.
Limit IP addresses allowed to access the database. Modify
bind 127.0.0.1
inredis.conf
to the IP addresses allowed to access the database.Set the access password. Add your expected access password after the
requirepass
field inredis.conf
.Change the Redis running account. Run the Redis service with an account with lower permissions and disable the logon permission for this account.