SCA: security update for org.redisson:redisson (GHSA-4hvc-qwr2-f8rv)

critical Tenable Self-Hosted Container Security Plugin ID 410229

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the
messages received from the Redis server contain Java objects that the client deserializes without further
validation. Attackers that manage to trick clients into communicating with a malicious server can include
especially crafted objects in its responses that, once deserialized by the client, force it to execute
arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0
contains a patch for this issue. Some post-fix advice is available. Do NOT use `Kryo5Codec` as
deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the
`setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to
`SerializationCodec` only consists of adding an optional allowlist of class names, even though making this
behavior the default is recommended. When instantiating `SerializationCodec` please use the
`SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor to restrict the
allowed classes for deserialization. (CVE-2023-42809)

See Also

https://github.com/advisories/GHSA-4hvc-qwr2-f8rv

Plugin Details

Severity: Critical

ID: 410229

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.54

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-42809

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.4

Threat Score: 8.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/5/2024

Vulnerability Publication Date: 10/4/2023

Reference Information

CVE: CVE-2023-42809

cwe: CWE-502