/ Register

Learn about Centmin Mod LEMP Stack today
Become a Member

Security Redis Server Security Vulnerability - Redishell (CVE-2025-49844)

Discussion in 'Centmin Mod News' started by eva2000, Oct 9, 2025.

Tags:
Thread Status:
Not open for further replies.
Previous Thread Next Thread
Loading...
  1. Oct 9, 2025 #1
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    3:02 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Redis announced a new Redis server security vulnerability - Redishell (CVE-2025-49844) https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q which is fixed in Redis server versions: 6.2.20, 7.2.11, 7.4.6, 8.0.4, 8.2.2. More details at Wiz Finds Critical Redis RCE Vulnerability: CVE‑2025‑49844 | Wiz Blog. Also if you using Redis alternative fork, Valkey, they also have security fix release out for Valkey 8.1.4 and Valkey 8.0.6. For Redis alternative KeyDB, there currently is no security fix.

    If you like my work and want to support Centmin Mod, your can consider Centmin Mod Premium membership or a donation https://community.centminmod.com/threads/ways-to-support-centmin-mod.11435/ ;)

    Redishell Impact



    Am I at risk?

    If you're running Centmin Mod with default settings, you have good protection (Redis on localhost + CSF Firewall blocks external attacks). However, you should still upgrade because if your web app sites, i.e. WordPress/XenForo site, get compromised, attackers can exploit Redis locally.

    Which patched versions are available?

    Centmin Mod traditionally install Redis from Remi Collet's repository (Remi Repo), which provides Redis packages for Enterprise Linux 7, 8, 9, and 10 (EL7-EL10). Remi fixed CVE-2025-49844 in Redis 6.2.20, 7.2.11, 8.0.4, and 8.2.2 for EL8-EL10 (excluding CentOS 7 EL7 EOL)
    • Redis 7.2.11 - Recommended for CentOS 7 and would be EL8/EL9 defaults
    • Redis 8.0.4 - Latest 8.0.x series
    • Redis 8.2.2 - Latest 8.2.x series
    • Redis 6.2.20 - Latest 6.2.x series
    However, there's a catch for CentOS 7 users:
    • Remi no longer updates packages for CentOS 7 (EL7) since CentOS 7 reached end-of-life on June 30, 2024
    • This means CentOS 7 users cannot get the patched versions directly from Remi's repository
    • I built Centmin Mod's own security-fixed RPMs for CentOS 7. They were built using Redis RPMs from Remi's source packages for the newer EL7 version.
    • These are the exact same patched versions Remi provides for EL8/EL9/EL10, just rebuilt for CentOS 7 compatibility
    How to update Redis server?

    For AlmaLinux/Rocky Linux 8/9 you can just run the usual YUM update or you'll be prompted for yum updates on centmin.sh menu option 24 exiting the menu:
    Code (Text):
    yum -y update redis

    For CentOS 7, you will need to either manually download and install Centmin Mod custom-built Redis 7.2.11 YUM packages or update to latest 132.00stable or 140.00beta01 and run cmupdate command and then run and exit centmin.sh menu once.
    For manual update:
    Code (Text):
    cd /svr-setup
wget https://parts.centminmod.com/centminmodparts/rpms/redis/el7/redis-7.2.11-1.el7.x86_64.rpm
wget https://parts.centminmod.com/centminmodparts/rpms/redis/el7/redis-devel-7.2.11-1.el7.x86_64.rpm

# install redis 7.2.11
yum -y localinstall redis-7.2.11-1.el7.x86_64.rpm redis-devel-7.2.11-1.el7.x86_64.rpm

    Example output on CentOS 7 on running updated centmin.sh
    Code (Text):
    Updating Redis from 6.2.6 to 7.2.11...
Details https://community.centminmod.com/threads/29537/
warning: /etc/redis/redis.conf created as /etc/redis/redis.conf.rpmnew
warning: /etc/redis/sentinel.conf created as /etc/redis/sentinel.conf.rpmnew
Redis updated to 7.2.11 successfully
     
    Last edited: Oct 9, 2025
  2. Oct 9, 2025 #2
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    3:02 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
  3. Oct 10, 2025 #3
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    3:02 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+

    Upgrading To Redis 8.2



    Some folks have asked how to upgrade to Redis 8.2 as Redis 8.0 and 8.2 performance from my testing is better than Redis 7.2 and alternatives like KeyDB, Dragonfly and even Valkey https://github.com/centminmod/redis-comparison-benchmarks :)

    For CentOS 7, I also built updated Redis 8.0.4 and Redis 8.2.2 YUM RPMs but still testing them out as they weren't really built for older CentOS 7. So far they are ok so will update with instructions for CentOS 7 Redis 7.2 to Redis 8.0/8.2 upgrades.

    For AlmaLinux/Rocky Linux 8/9, Remi YUM repo based Redis is setup and installed as a DNF/YUM module. You can see which version is currently installed and enabled with [e] indicator.

    AlmaLinux 8 default is Redis 6.2 branch or Redis 7.2
    Code (Text):
    yum module list -q | grep -E 'redis|valkey' | tr -s ' '
redis 5 [d] common [d] Redis persistent key-value database
redis 6 common [d] Redis persistent key-value database
redis remi-5.0 common [d] Redis persistent key-value database
redis remi-6.0 common [d] Redis persistent key-value database
redis remi-6.2 [e] common [d] Redis persistent key-value database
redis remi-7.0 common [d] Redis persistent key-value database
redis remi-7.2 common [d] Redis persistent key-value database
redis remi-8.0 common [d] Redis persistent key-value database
redis remi-8.2 common [d] Redis persistent key-value database
valkey remi-8.1 common [d] Valkey persistent key-value database

    AlmaLinux 9 default is Redis 7.2 branch
    Code (Text):
    yum module list -q | grep -E 'redis|valkey'
redis      7            common [d]                                            Redis persistent key-value database                          
redis      remi-5.0     common [d]                                            Redis persistent key-value database                          
redis      remi-6.0     common [d]                                            Redis persistent key-value database                          
redis      remi-6.2     common [d]                                            Redis persistent key-value database                          
redis      remi-7.0     common [d]                                            Redis persistent key-value database                          
redis      remi-7.2 [e] common [d]                                            Redis persistent key-value database                          
redis      remi-8.0     common [d]                                            Redis persistent key-value database                          
redis      remi-8.2     common [d]                                            Redis persistent key-value database                          
valkey     remi-8.1     common [d]                                            Valkey persistent key-value database


    For AlmaLinux/Rocky Linux 8/9 Centmin Mod installs with 140.00beta01, you can upgrade to Remi Redis 8.2 using Centmin Mod native addons/redis-installer.sh's upgrade option which does the usual module reset + Centmin Mod specific config changes. Centmin Mod 132.00stable still maxes out at Redis 7.2 for now.
    Code (Text):
    # change info /usr/local/src/centminmod directory
cmdir
addons/redis-server-install.sh upgrade


    For AlmaLinux/Rocky Linux 8/9 non-Centmin Mod installs, you can upgrade to Remi Redis 8.2 using following steps with either yum or dnf commands.
    Code (Text):
    # Stop Redis if running (and back up data, optional but recommended)
systemctl stop redis
cp -a /var/lib/redis /var/lib/redis.bak.$(date +%F)

# AppStream redis:7 or redis:6.2 enabled; reset it:
dnf module reset -y redis

# Enable Remi's Redis 8.2 stream
dnf module enable -y redis:remi-8.2

# Install and upgrade Remi Redis 8.2
dnf install -y redis --allowerasing

# Enable and start Redis 8.2
systemctl enable --now redis

# Verify Redis 8.2 version
redis-server -v
yum -q info redis


    Notes:
    • --allowerasing lets DNF replace conflicting AppStream packages if needed.
    • If you previously tweaked Redis config, check /etc/redis/redis.conf after the upgrade (port/bind, AOF/RDB settings).
    • Data files live in /var/lib/redis. Your backup lets you roll back if needed.
    AlmaLinux 8 Redis 8.2
    Code (Text):
    yum -q info redis
Installed Packages
Name         : redis
Version      : 8.2.2
Release      : 3.module_redis.8.2.el8.remi
Architecture : x86_64
Size         : 5.6 M
Source       : redis-8.2.2-3.module_redis.8.2.el8.remi.src.rpm
Repository   : @System
From repo    : remi-modular
Summary      : A persistent key-value database
URL          : http://redis.io
License      : AGPL-3.0-only AND BSD-3-Clause AND BSD-2-Clause AND MIT AND BSL-1.0
Description  : Redis is an advanced key-value store. It is often referred to as a data
             : structure server since keys can contain strings, hashes, lists, sets and
             : sorted sets.
             :
             : You can run atomic operations on these types, like appending to a string;
             : incrementing the value in a hash; pushing to a list; computing set
             : intersection, union and difference; or getting the member with highest
             : ranking in a sorted set.
             :
             : In order to achieve its outstanding performance, Redis works with an
             : in-memory dataset. Depending on your use case, you can persist it either
             : by dumping the dataset to disk every once in a while, or by appending
             : each command to a log.
             :
             : Redis also supports trivial-to-setup master-slave replication, with very
             : fast non-blocking first synchronization, auto-reconnection on net split
             : and so forth.
             :
             : Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
             : limited time-to-live, and configuration settings to make Redis behave like
             : a cache.
             :
             : You can use Redis from most programming languages also.

    AlmaLinux 9 Redis 8.2
    Code (Text):
    yum -q info redis
Installed Packages
Name         : redis
Version      : 8.2.2
Release      : 3.module_redis.8.2.el9.remi
Architecture : x86_64
Size         : 6.1 M
Source       : redis-8.2.2-3.module_redis.8.2.el9.remi.src.rpm
Repository   : @System
From repo    : remi-modular
Summary      : A persistent key-value database
URL          : http://redis.io
License      : AGPL-3.0-only AND BSD-3-Clause AND BSD-2-Clause AND MIT AND BSL-1.0
Description  : Redis is an advanced key-value store. It is often referred to as a data
             : structure server since keys can contain strings, hashes, lists, sets and
             : sorted sets.
             :
             : You can run atomic operations on these types, like appending to a string;
             : incrementing the value in a hash; pushing to a list; computing set
             : intersection, union and difference; or getting the member with highest
             : ranking in a sorted set.
             :
             : In order to achieve its outstanding performance, Redis works with an
             : in-memory dataset. Depending on your use case, you can persist it either
             : by dumping the dataset to disk every once in a while, or by appending
             : each command to a log.
             :
             : Redis also supports trivial-to-setup master-slave replication, with very
             : fast non-blocking first synchronization, auto-reconnection on net split
             : and so forth.
             :
             : Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
             : limited time-to-live, and configuration settings to make Redis behave like
             : a cache.
             :
             : You can use Redis from most programming languages also.


    And preview of CentOS 7 Redis 8.2.2
    Code (Text):
    yum -q info redis
Installed Packages
Name        : redis
Arch        : x86_64
Version     : 8.2.2
Release     : 3.el7
Size        : 5.6 M
Repo        : installed
From repo   : /redis-8.2.2-3.el7.x86_64
Summary     : A persistent key-value database
URL         : http://redis.io
License     : AGPL-3.0-only AND BSD-3-Clause AND BSD-2-Clause AND MIT AND BSL-1.0
Description : Redis is an advanced key-value store. It is often referred to as a data
            : structure server since keys can contain strings, hashes, lists, sets and
            : sorted sets.
            :
            : You can run atomic operations on these types, like appending to a string;
            : incrementing the value in a hash; pushing to a list; computing set
            : intersection, union and difference; or getting the member with highest
            : ranking in a sorted set.
            :
            : In order to achieve its outstanding performance, Redis works with an
            : in-memory dataset. Depending on your use case, you can persist it either
            : by dumping the dataset to disk every once in a while, or by appending
            : each command to a log.
            :
            : Redis also supports trivial-to-setup master-slave replication, with very
            : fast non-blocking first synchronization, auto-reconnection on net split
            : and so forth.
            :
            : Other features include Transactions, Pub/Sub, Lua scripting, Keys with a
            : limited time-to-live, and configuration settings to make Redis behave like
            : a cache.
            :
            : You can use Redis from most programming languages also.
     
Previous Thread Next Thread
Loading...
Thread Status:
Not open for further replies.

.