Common Vulnerabilities and Exposures (CVE): Security vulnerabilities addressed in ElastiCache for Redis

Common Vulnerabilities and Exposures (CVE) is a list of entries for publicly known cybersecurity vulnerabilities. Each entry is a link that contains an identification number, a description, and at least one public reference. You can find on this page a list of security vulnerabilities that have been addressed in ElastiCache for Redis.

We recommend that you always upgrade to the latest ElastiCache for Redis version to be protected against known vulnerabilities. When operating an ElastiCache Serverless Cache, CVE fixes are automatically applied to your cache. When operating self-designed clusters, ElastiCache for Redis exposes the PATCH component. For example, when using ElastiCache for Redis version 6.2.6, the major version is 6, the minor version is 2, and the patch version is 6. PATCH versions are for backwards-compatible bug fixes, security fixes, and non-functional changes.

You can use this page to verify whether a particular version of ElastiCache for Redis has a fix for a specific security vulnerability. If your ElastiCache for Redis cluster is running a version without the security fix, refer to the table below and take action. You can either upgrade to a more recent ElastiCache for Redis version containing the fix, or if you are on an ElastiCache for Redis version containing the fix, ensure you have the latest service update applied by referring to Managing service updates. For more information on the supported ElastiCache for Redis engine versions and how to upgrade, see Engine versions and upgrading.

Note

If a CVE is addressed in an ElastiCache for Redis version, it means it is also addressed in the newer versions. So for example if a vulnerability is addressed in ElastiCache for Redis Version 6.0.5, this continues forward for Versions 6.2.6, 7.0.7, and 7.1.
An asterisk (*) in the following table indicates you must have the latest service update applied for the ElastiCache for Redis Cluster running the ElastiCache for Redis Version specified in order to address the security vulnerability. For more information on how to verify you have the latest service update applied for the ElastiCache for Redis version your cluster is running on, see Managing service updates.

ElastiCache for Redis version	CVEs Addressed
Redis 6.0.5	CVE-2022-24735, CVE-2022-24736
Redis 6.2.6	CVE-2022-24834, CVE-2022-35977, CVE-2022-36021*, CVE-2022-24735, CVE-2022-24736
Redis 7.0.7	CVE-2023-41056, CVE-2022-24834, CVE-2022-35977, CVE-2022-36021, CVE-2022-24735, CVE-2022-24736
Redis 7.1.0	CVE-2023-41056, CVE-2022-24834, CVE-2022-35977, CVE-2022-36021, CVE-2022-24735, CVE-2022-24736

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Managing service updates

Logging and monitoring