Addressing CVE-2025-49844 vulnerabality in VMware Tanzu for Valkey on Cloud Foundry
Article ID: 413682
Updated On:
Products
Issue/Introduction
A critical vulnerability CVE-2025-49844 (CVSS Score: 10.0) for Redis was recently discovered with description: Lua use-after-free may lead to remote code execution.
Please refer to Redis site for more details of this CVE.
This CVE applies to all existing releases of the following VMware Tanzu products.
- Redis for Tanzu Application Service 3.x
- Tanzu for Valkey on Cloud Foundry 4.0.x, 10.1.x
Resolution
Final solution
VMware Tanzu for Valkey on Tanzu Platform version 10.2.0 was already released, which has component Valkey OSS 8.1.4 for mitigating this CVE. Please refer to the release note for details.
There will be no patch releases for the following old versions. If you need the fix to this CVE-2025-49844, please upgrade your Redis/Valkey tile to at least version 10.2.0.
- Redis for Tanzu Application Service 3.x
- Tanzu for Valkey on Cloud Foundry 4.0.x, 10.1.x
Temporary workaround
If you want to temporarily work around this issue before the offical patch release is ready, please follow the steps below on every Redis instance VM deployed by BOSH.
1) "bosh ssh" into redis-instance VM and change to "root" user. For example,
bosh -d service-instance_e6218eb3-####-c9d02a7b62e8 ssh redis-instance/0
sudo -i
2) Backup the redis.conf file on persistent disk first
cp /var/vcap/store/redis/config/redis.conf /var/vcap/store/redis/config/redis.conf.orig
3) Open file /var/vcap/store/redis/config/redis.conf with an editor (e.g. vim)
vim /var/vcap/store/redis/config/redis.conf
4) Change existing EVAL/EVALSHA lines to
rename-command EVAL ""rename-command EVALSHA ""
Add the following three lines as well.
rename-command FCALL ""rename-command FUNCTION ""rename-command SCRIPT ""
It would be like this after the redis.conf file is updated.
# Plan Properties:
......
rename-command EVAL ""
rename-command EVALSHA ""
rename-command FCALL ""
rename-command FUNCTION ""
rename-command SCRIPT ""
......
5) Restart redis job to take the changes into effect
monit restart redis
6) Make sure "monit summary" shows redis job as running. For example,
# monit summary
The Monit daemon 5.2.5 uptime: 45m
Process 'redis' running
Process 'service-metrics' running
......
### Please note that the above steps should be performed again if the redis-instance is updated by manual BOSH command or "Apply Changes" from Ops Manager
If you want to verify Lua scripting has been deactivated successfully, please refer to the following steps.
1) Create a service key for the redis service instance if there is no one. And note down the password in service key. For example,
$ cf create-service-key redis1 redis1-key
$ cf service-key redis1 redis1-key
Getting key redis1-key for service instance redis1 as admin...
{
"credentials": {
"host": "q-s0.redis-instance.infra.service-instance-e6218eb3-####-c9d02a7b62e8.bosh",
"password": "el####Dn",
"port": 6379,
"service_gateway_access_port": 0,
"service_gateway_enabled": false,
"tls_port": 16379,
"tls_versions": [
"tlsv1.2",
"tlsv1.3"
]
}
}
2) "bosh ssh" into the redis-instance VM and change to root user with "sudo -i" command
3) Start redis-cli. For example,
~# LD_LIBRARY_PATH=/var/vcap/packages/openssl/lib/ /var/vcap/packages/redis/bin/redis-cli -p 6379 -a el####Dn
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
127.0.0.1:6379>** Replace password el####Dn with the one you note down in step 1)
4) Try "eval" command, which should fail as shown below
127.0.0.1:6379> eval "return 1" 0
(error) ERR unknown command 'eval', with args beginning with: 'return 1' '0'
Additional Information
Feedback
