Trust Center

Security researchers at Cado Security have identified another campaign and malware variant targeting Redis in the wild. In their recently published blog post, they detail 4 variants of Golang malware they have observed targeting Docker, Hadoop YARN, Confluence, and Redis.

Specific to Redis, they describe how (yet again) these malware variants require the attacker to connect to the target Redis server in order to be successful; there is no exploit or new vulnerability involved. This initial entry takes advantage of open-source Redis instances that have been misconfigured and left in an insecure, non-default state, specifically servers that are configured with weak authentication or are compromised via other means (eg. leaked or stolen credentials).

We want to emphasize that this attack does not exploit any vulnerabilities in the Redis application itself and can be prevented by following security best practices and recommendations. Additionally, specific features in Redis Enterprise add additional protections against the novel methods found in these new malware variants. Check out this article for 5 basic steps you can take to help prevent these types of attacks, and visit our open source and commercial software documentation sites for a full list of available security controls and settings.

Security researchers at BleepingComputer recently published an article detailing research from Cado Security on a piece of malware called ‘Migo’ that targets Redis servers and uses them to mine cryptocurrency. In the article, they describe how Migo requires the attacker to connect to the target Redis server in order to be successful; there is no exploit or new vulnerability involved. This initial entry takes advantage of open-source Redis instances that have been misconfigured and left in an insecure, non-default state, specifically servers that are configured with weak authentication or are compromised via other means (eg. leaked or stolen credentials).

We want to emphasize that this attack does not exploit any vulnerabilities in the Redis application itself and can be prevented by following security best practices and recommendations. Additionally, specific features in Redis Enterprise add additional protections against the novel methods employed by Migo. Check out this article for 5 basic steps you can take to help prevent these types of attacks, and visit our open source and commercial software documentation sites for a full list of available security controls and settings.

Redis has been made aware of and is closely following Sumo Logic’s recent precautionary announcement related to a possible security incident. Sumologic is a subprocessor of Redis; we have applied all recommended measures to protect against exposure. We are actively monitoring this event and if Redis is made aware of any specific exposure of Redis, or Redis customer’s information we will notify any affected customer immediately. We have not identified any indication of or been made aware of any inappropriate access of Redis information via the Sumo Logic product.

Every day, we are working to deliver effective and trustworthy security in our products. But we don’t expect you to just take our word for it.

That’s why we’re thrilled to announce that Redis Cloud has earned the Payment Card Industry's Data Security Standard (PCI DSS) 4.0 certification for our Flexible and Annual plans on Amazon Web Services (AWS) and Google Cloud. This achievement provides even greater confidence and trust to store your customer’s cardholder data across all Redis Cloud AWS and Google Cloud regions.

You may wonder – what exactly does this certification mean? Let us break down the importance of PCI DSS certification and how it helps you confidently deliver data-oriented applications.

How does PCI DSS certification benefit me?

PCI DSS stands for Payment Card Industry Data Security Standard and is a security standard developed by the PCI Secure Standards Council (SSC). It is the gold standard for financial data security, and applies to all entities that may store, process, and transmit payment card data.

The PCI DSS standard was developed to ensure cardholder data is appropriately protected via technical, operational, and physical security safeguards. Imagine Redis Cloud as a treasure chest, with your sensitive information inside; we've just validated the effectiveness of that treasure chest’s joints and locks with external auditors, who examined all the ways we work to secure it against the PCI standard.

The result? Our Qualified Security Assessor (QSA) successfully approved the effectiveness of our controls as a Level 1 PCI Service Provider to the PCI DSS 4.0 standard.

Trust and credibility for peace of mind

But that’s not all. We’re continuing to expand the security materials available to you in our Customer Trust Center, trust.redis.com. There, Redis customers may obtain our:

PCI Responsibility Matrix, which details how compliance roles and responsibilities are shared between Redis, its customers, and its hosting providers regarding PCI data stored in Redis Cloud Attestation of Compliance (AOC), an attestation completed by our QSA that documents that Redis Cloud upholds the security requirements to protect cardholder data

You can find our full package of customer security and compliance documentation in our Customer Trust Center to give you the visibility and confidence you need into Redis’ security practices.

We're excited about this accomplishment, and we hope you are too! Do you have more technical questions or want to learn more about the security features available in Redis Cloud? We have you covered, with an entire Redis University course about security topics, including access control, data protection and encryption, secure Redis architectures, and secure deployment techniques. And it's free!

Redis is pleased to announce that our cloud service offering, Redis Cloud, is now listed on the CSA STAR Registry with a Level 1 Attestation. The CSA STAR Registry is a publicly accessible registry that documents the security and privacy controls provided by cloud service providers.

Redis is proud to have the Level 1 Attestation to exemplify our continued commitment to safeguard our customers’ data. A copy of our CAIQ can be found on the CSA STAR listing, or on trust.redis.com in the Certifications & Compliance section.

Thank you from the Redis team for your continued support and trust, please reach out to your account representative if you have any questions.

Security researchers at Trustwave recently published an article detailing new behaviors observed by the “SkidMap” malware. In the article, they describe how SkidMap has been observed using Redis as an initial entry vector into victim environments. This initial entry takes advantage only of Redis instances that have been misconfigured and left in an insecure state, specifically instances with no or weak authentication configured or with protected mode disabled (or unavailable in the case of instances running Redis versions 3.2.0 or older).

We want to emphasize that this attack does not exploit any vulnerabilities in the Redis application itself and can be prevented by following security best practices and recommendations. Check out this article for 5 basic steps you can take to help prevent these types of attacks, and visit our open source and commercial software documentation sites for a full list of available security controls and settings.

Redis Enterprise and Redis Cloud customers continue to be protected against vulnerability CVE-2022-0543, which does not exist in either Redis product or the open-source available on Redis.

As the world’s most popular in-memory database, it’s no surprise that Redis installations are frequently the target of threat actors, and we are glad to see cybersecurity researchers actively working to find these bad actors. We’ve previously seen other malware created to take advantage of CVE-2022-0543, a vulnerability created by how certain versions of Debian Linux package the Lua engine for open source Redis. Redis Enterprise software bundles a hardened version of the Lua module which is not susceptible to this vulnerability. As such, customers running Redis Enterprise licensed software are not at risk from CVE-2022-0543 and P2PInfect. Users of open source Redis are encouraged to use official distributions available directly from Redis.

Redis Gains ISO 27017 and 27018 Certifications

Redis announces the company’s certification for compliance with ISO 27017:2015 and ISO 27018:2019, added to our existing ISO 27001:2013 certifications.

Every organization is concerned about securing its cloud environments, and cognizant of the challenges of doing so. Cloud security frameworks are gaining traction in the security community as one way to address the issues, by providing specific guidance about controls (including intent and rigor), control management, validation and other information related to securing a cloud use case. One advantage of such frameworks is that they have certifications to assure users that an organization meets expectations. And now Redis has added two more certifications.

Prominent among them, the International Organization for Standardization (ISO) is an international group that establishes technology and business standards, typically focused on data protection and security, with third-party audit practices to confirm adherence to best practices. Performed by independent, third-party auditors for Redis, these certifications demonstrate the maturity of our security program, and provide additional confidence in our security and privacy practices.

ISO 27017:2015 is a security standard developed for cloud service providers and users to make a safer cloud-based environment. Redis’ certification proves that we extend our disciplined Information Security Management System (ISMS) practices to the operation of Redis Cloud, adding to the ISO 27001 certification we achieved in 2022.

ISO 27018: 2019 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII), in part as a response to the General Data Protection Regulation (GDPR). Redis’ certification exhibits our dedication to maintaining data privacy, and assures customers that, as a steward of customers’ PII, we have implemented the highest international standards to ensure data stays protected.

These certifications further demonstrates our commitment to keeping your data secure and private.