漏洞修复:Redis 沙盒逃逸漏洞(CVE-2022-0543)
腾讯云上报 Redis 沙盒逃逸漏洞(CVE-2022-0543),参考报告:Debian Bug report logs - #1005787 redis: CVE-2022-0543:
Found in versions redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1
Fixed in versions redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2, redis/5:7.0~rc2-2
影响版本:redis version less than 5:5.0.7-2ubuntu0.1
查看相关 ubuntu 服务器 redis 版本:
> redis-server -v
Redis server v=5.0.7 sha=00000000:0 malloc=jemalloc-5.2.1 bits=64 build=66bd629f924ac924
即需要对 Redis 升级到新版本。官方提供了修复指令:
> sudo apt-get -y install redis --only-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Skipping redis, it is not installed and only upgrades are requested.
The following packages were automatically installed and are no longer required:
...
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 302 not upgraded.
再此查看 redis 版本,并没有升级成功。网上查到一篇 Ubuntu 安装 Redis,主要参考其中的 方法2:先更新APT repository再安装
,也即是 Redis 官网提供方法:
先决条件
如果运行的是低版本的 debain 发行版本,需要先执行:
sudo apt install lsb-release curl gpg
更新 apt repository 再安装
curl -fsSL https://packages.redis.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/redis.list
sudo apt-get update
sudo apt-get install redis
再次查看版本:
> redis-server -v
Redis server v=7.0.12 sha=00000000:0 malloc=jemalloc-5.2.1 bits=64 build=d706905cc5f560c1
升级会提示使用新版本,还是原来版本,测试选择 N 或 O 不会修改原来 redis 的配置,如密码
安装过程中报错 Package redis-server is not configured yet
dpkg: error processing package redis-server (--configure):
installed redis-server package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of redis:
redis depends on redis-server (<< 6:7.0.12-1rl1~focal1.1~); however:
Package redis-server is not configured yet.
redis depends on redis-server (>= 6:7.0.12-1rl1~focal1); however:
Package redis-server is not configured yet.
dpkg: error processing package redis (--configure):
dependency problems - leaving unconfigured
Errors were encountered while processing:
redis-server
redis
E: Sub-process /usr/bin/dpkg returned an error code (1)
中间有一台设备出现了这个报错,不管使用 apt 安装什么软件都会提示 redis-server 存在问题。也有参考网上的教程去配置 ipv6 启用,或者修改 bind 127.0.0.1
配置文件的,但都不起作用。
因为这台设备属于测试站,所以干脆直接卸载软件:
apt-get remove redis-server
apt-get remove redis
因为不确定包名,所以执行了 redis 和 redis-server 的卸载。然后安装上面的更新 apt 源再安装。
若遇到报错 Package redis-server is not configured yet
且怎么样重新安装都不起作用
熟话说的好呀,夜路走多了,容易遇见鬼。这经常这么删除再重新安装,删除再重新安装,然后就遇到了一直都安装不了,一直报错的情况。
首先 sudo apt-get install redis
其实安装了 redis-server
,redis-cli
,并且还有一个 redis
的系统服务。不管是卸载还是安装 redis 时,都应该先把 redis 关闭: service redis stop
之后再操作。
在卸载干净之后,安装过程中报错:
> service redis status
● redis-server.service - LSB: redis-server - Persistent key-value db
Loaded: loaded (/etc/init.d/redis-server; generated)
Active: inactive (dead) since Thu 2023-08-03 10:49:46 CST; 9s ago
Docs: man:systemd-sysv-generator(8)
Process: 2967516 ExecStart=/etc/init.d/redis-server start (code=exited, status=0/SUCCESS)
Process: 2972824 ExecStop=/etc/init.d/redis-server stop (code=exited, status=0/SUCCESS)
Aug 03 10:44:21 ~ systemd[1]: Starting LSB: redis-server - Persistent key-value db...
Aug 03 10:44:21 ~ systemd[1]: Started LSB: redis-server - Persistent key-value db.
Aug 03 10:49:46 ~ systemd[1]: Stopping LSB: redis-server - Persistent key-value db...
Aug 03 10:49:46 ~ systemd[1]: redis-server.service: Succeeded.
Aug 03 10:49:46 ~ systemd[1]: Stopped LSB: redis-server - Persistent key-value db.
> sudo apt-get install redis
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
redis-server
The following NEW packages will be installed:
redis redis-server
0 upgraded, 2 newly installed, 0 to remove and 423 not upgraded.
Need to get 0 B/129 kB of archives.
After this operation, 251 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Selecting previously unselected package redis-server.
(Reading database ... 84086 files and directories currently installed.)
Preparing to unpack .../redis-server_6%3a7.0.12-1rl1~focal1_amd64.deb ...
Unpacking redis-server (6:7.0.12-1rl1~focal1) ...
Selecting previously unselected package redis.
Preparing to unpack .../redis_6%3a7.0.12-1rl1~focal1_all.deb ...
Unpacking redis (6:7.0.12-1rl1~focal1) ...
Setting up redis-server (6:7.0.12-1rl1~focal1) ...
Job for redis-server.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status redis-server.service" and "journalctl -xe" for details.
invoke-rc.d: initscript redis-server, action "start" failed.
● redis-server.service - Advanced key-value store
Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: protocol) since Thu 2023-08-03 10:50:19 CST; 5ms ago
Docs: http://redis.io/documentation,
man:redis-server(1)
Process: 2973493 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=0/SUCCESS)
Main PID: 2973493 (code=exited, status=0/SUCCESS)
dpkg: error processing package redis-server (--configure):
installed redis-server package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of redis:
redis depends on redis-server (<< 6:7.0.12-1rl1~focal1.1~); however:
Package redis-server is not configured yet.
redis depends on redis-server (>= 6:7.0.12-1rl1~focal1); however:
Package redis-server is not configured yet.
dpkg: error processing package redis (--configure):
dependency problems - leaving unconfigured
No apport report written because the error message indicates its a followup error from a previous failure.
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for systemd (245.4-4ubuntu3.1) ...
Errors were encountered while processing:
redis-server
redis
E: Sub-process /usr/bin/dpkg returned an error code (1)
> systemctl status redis-server.service
● redis-server.service - Advanced key-value store
Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
Active: failed (Result: protocol) since Thu 2023-08-03 10:50:21 CST; 45s ago
Docs: http://redis.io/documentation,
man:redis-server(1)
Process: 2973762 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=0/SUCCESS)
Main PID: 2973762 (code=exited, status=0/SUCCESS)
Aug 03 10:50:21 ~ systemd[1]: redis-server.service: Scheduled restart job, restart counter is at 8.
Aug 03 10:50:21 ~ systemd[1]: Stopped Advanced key-value store.
Aug 03 10:50:21 ~ systemd[1]: redis-server.service: Start request repeated too quickly.
Aug 03 10:50:21 ~ systemd[1]: redis-server.service: Failed with result 'protocol'.
Aug 03 10:50:21 ~ systemd[1]: Failed to start Advanced key-value store.
前面是安装 redis
,后面则是查看 redis
服务。redis
版本已经升级好了,但这个 redis
服务却一直启动不起来。
经历了一段时间的推敲、寻觅,终于试出了一种可以解决当前问题的方法:Redis not starting with systemctl。里面问答里提到修改 redis
配置文件 /etc/redis/redis.conf
,找到 supervised no
项,修改为 supervised systemd
。
没有太理解 systemctl
方式启动是不是就是 service
方式启动,但修改后再启动服务 service redis restart
确实成功了。观察到其他两台服务器安装后也都有 redis
服务(默认安装的),且一台设置为 auto
,另一台设置为 no
也没有出现当前的问题,所以暂时不确定什么因素造车了当前的这种情况。