Urgent Valkey security patch fixes 3 critical vulnerabilities (CVE-2025-21605 CVSS 8.7, CVE-2025-27151, CVE-2025-49112) affecting SUSE Linux Enterprise 15 SP7. Learn how to mitigate denial-of-service risks, stack overflows, and integer underflows in Redis-compatible databases
Why This Valkey Update is Critical for Enterprise Security
SUSE has released an "important" rated security update addressing three vulnerabilities in Valkey (Redis-compatible database), including:
CVE-2025-21605 (CVSS 8.7): Output buffer denial-of-service (DoS) attack vector
CVE-2025-27151 (CVSS 5.3): Stack overflow via unchecked filename size
CVE-2025-49112 (CVSS 3.1): Integer underflow in
setDeferredReply
Affected SUSE Products:
SUSE Linux Enterprise Server 15 SP7
SUSE Linux Enterprise Real Time 15 SP7
SUSE Linux Enterprise Server for SAP Applications 15 SP7
Without this patch, attackers could:
✔ Crash Valkey instances (DoS) via malicious network traffic
✔ Execute arbitrary code through stack overflow exploits
✔ Trigger memory corruption via integer underflow
Step-by-Step Patch Instructions
Method 1: Command-Line Update (Recommended for Enterprise)
# For Server Applications Module 15-SP7: sudo zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2025-1942=1
Method 2: YaST GUI Update
Open YaST Control Center → Software Management
Search for patch ID SUSE-SU-2025:01942-1
Select all Valkey-related packages and confirm installation
Vulnerability Breakdown & Risk Mitigation
| CVE ID | CVSS v4.0 | Impact | Exploitability |
|---|---|---|---|
| CVE-2025-21605 | 8.7 (Critical) | Service disruption via buffer flood | Remote, no auth (PR:N) |
| CVE-2025-27151 | 5.3 (Medium) | Local code execution | Low-privilege user (PR:L) |
| CVE-2025-49112 | 3.1 (Low) | Memory corruption | Adjacent network (AV:A) |
Proactive Security Measures:
Immediate Patching: Deploy updates within 24 hours for production systems.
Network Hardening: Restrict Valkey port (6379) to trusted IPs only.
Monitoring: Alert on abnormal memory usage (>90% of
maxmemory).
Affected Valkey 8.0.2 Packages
Core Packages:
valkey-8.0.2-150700.3.5.1valkey-devel(Development headers)valkey-debuginfo(Troubleshooting)
Compatibility Layer:
valkey-compat-redis(Redis API support)
(Full package details: SUSE Security Portal)
FAQ: Valkey Security Update
Q1: Is this update backward-compatible with Redis clients?
A: Yes—valkey-compat-redis ensures Redis protocol compatibility.
Q2: Can CVE-2025-21605 be exploited in cloud environments?
A: Yes, if Valkey is exposed to untrusted networks (e.g., public Kubernetes pods).
Q3: What’s the performance impact of this patch?
A: <2% overhead due to additional buffer size checks.
Nenhum comentário:
Postar um comentário