NextGen Gateway - Security Fixes

The following security fixes apply to NextGen Gateway.

Known Vulnerability in Redis Lua Scripting

We have discovered a critical vulnerability in Redis, affecting all versions that support Lua scripting. If your environment uses Redis, an authenticated user could exploit this weakness by executing specially crafted Lua scripts, manipulating the garbage collector, and triggering a use-after-free condition. This may result in remote code execution.

Technical details of this vulnerability are limited as per Redis’s standard security policy.

We recommend the following workaround. This vulnerability has been addressed in patch version 20.0.2.

• If you are planning to upgrade to version 20.0.2, no action is required. The patch will automatically update the the necessary Redis ACL restrictions.
• If you are not upgrading to 20.0.2, you must manually restrict access to the EVAL and EVALSHA commands using Access Control Lists (ACLs) to prevent Lua script execution. See the Update Instructions page for details.