ALAS2023-2025-1221

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1221
Advisory Released Date: 2025-10-14
Advisory Updated Date: 2025-10-14

Severity: Important

References: CVE-2025-46817 CVE-2025-46818 CVE-2025-46819 CVE-2025-49844
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. (CVE-2025-46817)

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families. (CVE-2025-46818)

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families. (CVE-2025-46819)

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. (CVE-2025-49844)

Affected Packages:

valkey

Issue Correction:
Run dnf update valkey --releasever 2023.9.20251014 or dnf update --advisory ALAS2023-2025-1221 --releasever 2023.9.20251014 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    valkey-devel-8.0.6-3.amzn2023.0.2.aarch64
    valkey-debuginfo-8.0.6-3.amzn2023.0.2.aarch64
    valkey-8.0.6-3.amzn2023.0.2.aarch64
    valkey-debugsource-8.0.6-3.amzn2023.0.2.aarch64

src:
    valkey-8.0.6-3.amzn2023.0.2.src

x86_64:
    valkey-devel-8.0.6-3.amzn2023.0.2.x86_64
    valkey-debuginfo-8.0.6-3.amzn2023.0.2.x86_64
    valkey-8.0.6-3.amzn2023.0.2.x86_64
    valkey-debugsource-8.0.6-3.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-49844

Mitre: CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-49844