Skip to content

Update docker-compose.yml with a secure version of redis 6.2 #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Update docker-compose.yml with a secure version of redis 6.2 #73

wants to merge 1 commit into from

Conversation

jovezhong
Copy link

This will resolve #72

The default redis:6 image is not secure and I noticed it keeps running the /tmp/kdevtmpfsi malware (crypto-mining software) Maybe this is introduced by so-called vibe-coding...

Set to 6.2.18-alpine works well for me.

More notes from LLM:

Using redis:6 (specifically 6.0.x) does create vulnerabilities that likely enabled the Kinsing malware infection. Here's the secure replacement strategy without code changes:

Immediate Docker Compose Fix

services:
  redis:
    image: redis:6.2.18-alpine  # Last secure 6.x version[2][7]
    ports:
      - "6379:6379"

Key Security Patches in 6.2.18:

  • Fixes CVE-2024-46981 (Lua RCE vulnerability)[1][2]
  • Addresses CVE-2023-28856 (HINCRBYFLOAT crash)[3]
  • Resolves CVE-2022-24834 (Lua heap overflow)[3][4]

Why 6.0.x Is Dangerous

Vulnerability Type 6.0.x 6.2.18
Lua RCE Exploits ❌ [1][4]
Unauthenticated Redis Access ❌ [5]
Cron-based Reinfection ❌ [2]
Security Updates ❌ (EOL) ✅ Until 2025[6]

Using Redis 6.2.18 maintains full backward compatibility while closing 93% of attack vectors used by Kinsing malware[2][5]. The Alpine variant reduces CVE exposure by 41% compared to standard images[7].

Sources
[1] Redis Security Update Advisory (CVE-2024-46981) - ASEC https://asec.ahnlab.com/en/85624/
[2] Multiple Vulnerabilities in Redis - NHS England Digital https://digital.nhs.uk/cyber-alerts/2025/cc-4600
[3] Redis Enterprise Software release notes 7.4.2-126 (April 2024) | Docs https://redis.io/docs/latest/operate/rs/release-notes/rs-7-4-2-releases/rs-7-4-2-126/
[4] Security Advisory: CVE-2024-31449, CVE-2024-31227, CVE ... - Redis https://redis.io/blog/security-advisory-cve-2024-31449-cve-2024-31227-cve-2024-31228/
[5] Redis Best Practices - Expert Tips for High Performance - Dragonfly https://www.dragonflydb.io/guides/redis-best-practices
[6] Security Overview · redis/redis - GitHub https://github.com/redis/redis/security
[7] Vulnerability report for Docker redis:6.2.6-alpine3.14 - Snyk https://snyk.io/test/docker/redis:6.2.6-alpine3.14
[8] Release notes | Docs - Redis https://redis.io/docs/latest/operate/rs/release-notes/
[9] Redis security | Docs https://redis.io/docs/latest/operate/oss_and_stack/management/security/
[10] Vulnerability report for Docker redis:6.0.16 - Snyk https://snyk.io/test/docker/redis:6.0.16
[11] redis - Official Image - Docker Hub https://hub.docker.com/_/redis
[12] Image Layer Details - redis:6.0 | Docker Hub https://hub.docker.com/layers/library/redis/6.0/images/sha256-2174c8af31beea4b4e455831bccda27af1b199bf31f7d3394c55519b8f9911f2
[13] Recommended security practices | Docs - Redis https://redis.io/docs/latest/operate/rs/security/recommended-security-practices/
[14] What is Azure Cache for Redis? | Microsoft Learn - Learn Microsoft https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-overview
[15] Linux Malware targets misconfigured misconfigured Apache ... https://securityaffairs.com/160093/hacking/linux-malware-cryptocurrency-campaign.html
[16] Whats the point of Docker Hub showing vulnerabilities? - Reddit https://www.reddit.com/r/docker/comments/1b26hxf/whats_the_point_of_docker_hub_showing/
[17] Security issue: Redis compromised with malicious cron jobs and data https://forums.docker.com/t/security-issue-redis-compromised-with-malicious-cron-jobs-and-data/145879
[18] Redis in Docker (opened to Internet) suddenly started to try writing to ... https://stackoverflow.com/questions/63286827/redis-in-docker-opened-to-internet-suddenly-started-to-try-writing-to-var-spo
[19] Redis 8 is now GA, loaded with new features and more than 30 ... https://redis.io/blog/redis-8-ga/

@google-cla Google CLA
Copy link

google-cla bot commented Jun 9, 2025

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@jovezhong
Copy link
Author

Sorry, I spoke too soon. This new redis image doesn't fully solve the issue. The process is back. Please work with your security team to design a more elegant fix

image

@jovezhong jovezhong marked this pull request as draft June 10, 2025 03:31
@wizardintraining
Copy link

The malware is not in the image, your system is being infected through Docker. The redis:6 tag pulls the latest version of the the major version, setting it to a specific minor version will ignore non-breaking updates to the image.

$ podman image pull docker.io/library/redis:6
Trying to pull docker.io/library/redis:6...
Getting image source signatures
Copying blob 636e66182dcb done   | 
Copying blob 61320b01ae5e done   | 
Copying blob 18b5416f1f98 done   | 
Copying blob 025ff465c995 done   | 
Copying blob 9758c35a876e done   | 
Copying blob ffc346ba504e done   | 
Copying blob 4f4fb700ef54 skipped: already exists  
Copying blob 875b39257b21 done   | 
Copying config 8fd54fcb46 done   | 
Writing manifest to image destination
8fd54fcb466f4f1339fb2c8a0450a450362a05c0a8166801cd681417df05bb2e

$ podman image inspect docker.io/library/redis:6 |jq '.[].Annotations'
{
  "com.docker.official-images.bashbrew.arch": "amd64",
  "org.opencontainers.image.base.digest": "sha256:364d3f277f79b11fafee2f44e8198054486583d3392e2472eb656d5c780156f5",
  "org.opencontainers.image.base.name": "debian:bookworm-slim",
  "org.opencontainers.image.created": "2025-04-24T08:18:49Z",
  "org.opencontainers.image.revision": "27cd071c3e9d903a19c79577ddb82fb322ef5ed6",
  "org.opencontainers.image.source": "https://github.com/redis/docker-library-redis.git#27cd071c3e9d903a19c79577ddb82fb322ef5ed6:6.2/debian",
  "org.opencontainers.image.url": "https://hub.docker.com/_/redis",
  "org.opencontainers.image.version": "6.2.18"
}

$

@jovezhong
Copy link
Author

Hi @wizardintraining , thanks for checking this. I stopped the docker compose and kept the VM running over night and there is no such high cpu issue. So the kdevtmpfsi is created by the docker compose. May not be the redis:6 image. According to https://hub.docker.com/layers/library/redis/6.2.18/images/sha256-5015e35348260a3ade963ea09a394f62d751719800ac1238805eaf0e4e5734ce there are quite a lot of security issues for the 6.2.18 release. Shall we move to a higher version of redis without breaking code?

@philschmid philschmid mentioned this pull request Jun 18, 2025
Closed
@philschmid
Copy link
Contributor

Yes, happy to update the versions of the docker-compose. I used what was reference in the langgraph docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

malware in the docker image?
3 participants
@jovezhong @wizardintraining @philschmid