This Article aims to provide details on how Aria Automation Config tackles the threat posed by the CVE-2020-4670 flagged for its Redis component.

The CVE-2020-4670 - critical, flagged for the Redis Server talks about  "The Redis Server is Unprotected by Password Authentication" flagged when running a security scan in the environment.  

Aria Automation Config 8.x 

This vulnerability is flagged stating the Redis server running on the remote host is not protected by password authentication. A remote attacker can exploit this to gain unauthorized access to the server, being flagged for the port - 6379.

The port 6379 is the port on which the redis service is hosted and for communication with the salt/ aria config (raas) 

Ensure the Raas configuration for redis server connectivity is configured adhering the recommended configuration here: Redis installation and configuration.

By ensuring the recommended configurations are in place when setting up Redis on a separate host from the Raas Server, the following parameter is set as below: : requirePass field being set to the password in the /etc/redis.conf : 

bind0.0.0.0
requirepass {{ your_redis_password }}

This would ensure the incoming communications would have to use the password mentioned.