AWS AmazonElastiCache medium security documentation change
Summary
Updated CVE documentation with new table format organized by CVE ID, added multiple new CVEs (including 2025 CVEs), restructured content into 'CVEs addressed' and 'CVEs that do not affect' sections, and removed old version-based table
Security assessment
This change documents specific security vulnerabilities (CVEs) affecting ElastiCache, including newly added 2025 CVEs (CVE-2025-67733, CVE-2025-49819, etc.) and provides guidance on which engine versions contain fixes. The documentation explicitly addresses security vulnerabilities and provides remediation guidance through version upgrades and service updates. The addition of new CVEs indicates ongoing security maintenance and vulnerability management.
Diff
diff --git a/AmazonElastiCache/latest/dg/cve.md b/AmazonElastiCache/latest/dg/cve.md index 807257c22..be96bb10d 100644 --- a//AmazonElastiCache/latest/dg/cve.md +++ b//AmazonElastiCache/latest/dg/cve.md @@ -6,0 +7,2 @@ +CVEs addressed in Amazon ElastiCacheCVEs that do not affect Amazon ElastiCache + @@ -9 +11 @@ -Common Vulnerabilities and Exposures (CVE) is a list of entries for publicly known cybersecurity vulnerabilities. Each entry is a link that contains an identification number, a description, and at least one public reference. You can find on this page a list of security vulnerabilities that have been addressed in ElastiCache. +Common Vulnerabilities and Exposures (CVE) is a list of entries for publicly known cybersecurity vulnerabilities. Each entry is a link that contains an identification number, a description, and at least one public reference. You can find on this page a list of security vulnerabilities that have been addressed in ElastiCache, as well as CVEs that do not affect ElastiCache. @@ -13,3 +15 @@ We recommend that you always upgrade to the latest ElastiCache Valkey, Redis OSS -You can use the following table to verify whether a particular version of ElastiCache Valkey and Redis OSS has a fix for a specific security vulnerability. If your ElastiCache Valkey or Redis OSS cluster is running a version without the security fix, refer to the table below and take action. You can either upgrade to a more recent ElastiCache Valkey or Redis OSS version containing the fix, or if you are on a version containing the fix, ensure you have the latest service update applied by referring to [Managing service updates for node-based clusters](./Self-Service-Updates.html#managing-updates). For more information on the supported ElastiCache engine versions and how to upgrade, see [Engine versions and upgrading in ElastiCache](./engine-versions.html). - -###### Note +## CVEs addressed in Amazon ElastiCache @@ -17 +17 @@ You can use the following table to verify whether a particular version of Elasti - * If a CVE is addressed in an ElastiCache version, it means it is also addressed in the newer versions. So for example if a vulnerability is addressed in ElastiCache for Redis OSS Version 6.0.5, this continues forward for Versions 6.2.6, 7.0.7, and 7.1. +The following table lists CVEs and the ElastiCache engine versions in which they are addressed. A checkmark (✓) indicates the CVE is addressed in that version. N/A indicates the CVE does not affect that engine version. If your ElastiCache Valkey or Redis OSS cluster is running a version without the security fix, you can either upgrade to a more recent ElastiCache Valkey or Redis OSS version containing the fix, or if you are on a version containing the fix, ensure you have the latest service update applied by referring to [Managing service updates for node-based clusters](./Self-Service-Updates.html#managing-updates). For more information about the supported ElastiCache engine versions and how to upgrade, see [Engine versions and upgrading in ElastiCache](./engine-versions.html). @@ -19 +19 @@ You can use the following table to verify whether a particular version of Elasti - * An asterisk (*) in the following table indicates you must have the latest service update applied for the ElastiCache for Redis OSS Cluster running the ElastiCache for Redis OSS Version specified in order to address the security vulnerability. For more information on how to verify you have the latest service update applied for the ElastiCache for Redis OSS version your cluster is running on, see [Managing service updates for node-based clusters](./Self-Service-Updates.html#managing-updates). +###### Note @@ -20,0 +21,57 @@ You can use the following table to verify whether a particular version of Elasti +An asterisk (*) in the following table indicates you must have the latest service update applied for the cluster running the version specified in order to address the security vulnerability. For more information about how to verify you have the latest service update applied for the version your cluster is running on, see [Managing service updates for node-based clusters](./Self-Service-Updates.html#managing-updates). + +CVE | Valkey 8.2 | Valkey 8.1 | Valkey 8.0 | Valkey 7.2 | Redis OSS 7.1 | Redis OSS 7.0 | Redis OSS 6.2 | Redis OSS 6.0 | Redis OSS 5.0 | Redis OSS 4.0 +---|---|---|---|---|---|---|---|---|---|--- +[CVE-2025-67733](https://www.cve.org/CVERecord?id=CVE-2025-67733)*| ✓| ✓| ✓| ✓| ✓| ✓| N/A| N/A| N/A| N/A +[CVE-2025-49819](https://www.cve.org/CVERecord?id=CVE-2025-49819)*| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2025-48367](https://www.cve.org/CVERecord?id=CVE-2025-48367)*| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2025-46844](https://www.cve.org/CVERecord?id=CVE-2025-46844)*| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2025-46818](https://www.cve.org/CVERecord?id=CVE-2025-46818)*| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2025-46817](https://www.cve.org/CVERecord?id=CVE-2025-46817)*| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2025-32023](https://www.cve.org/CVERecord?id=CVE-2025-32023)*| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2025-27151](https://www.cve.org/CVERecord?id=CVE-2025-27151)*| N/A| ✓| N/A| N/A| N/A| N/A| N/A| N/A| N/A| N/A +[CVE-2025-21605](https://www.cve.org/CVERecord?id=CVE-2025-21605)*| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2024-46981](https://www.cve.org/CVERecord?id=CVE-2024-46981)| N/A| ✓| ✓| ✓| N/A| N/A| N/A| N/A| N/A| N/A +[CVE-2024-31449](https://www.cve.org/CVERecord?id=CVE-2024-31449)*| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2024-31228](https://www.cve.org/CVERecord?id=CVE-2024-31228)*| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2024-31227](https://www.cve.org/CVERecord?id=CVE-2024-31227)*| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2023-41056](https://www.cve.org/CVERecord?id=CVE-2023-41056)*| N/A| ✓| ✓| ✓| ✓| N/A| N/A| N/A| N/A| N/A +[CVE-2023-28425](https://www.cve.org/CVERecord?id=CVE-2023-28425)*| N/A| N/A| N/A| N/A| ✓| ✓| N/A| N/A| N/A| N/A +[CVE-2023-25155](https://www.cve.org/CVERecord?id=CVE-2023-25155)| N/A| N/A| ✓| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2023-22458](https://www.cve.org/CVERecord?id=CVE-2023-22458)| N/A| N/A| ✓| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2022-36021](https://www.cve.org/CVERecord?id=CVE-2022-36021)*| N/A| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2022-35977](https://www.cve.org/CVERecord?id=CVE-2022-35977)*| N/A| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2022-35951](https://www.cve.org/CVERecord?id=CVE-2022-35951)*| N/A| N/A| N/A| N/A| ✓| ✓| N/A| N/A| N/A| N/A +[CVE-2022-31144](https://www.cve.org/CVERecord?id=CVE-2022-31144)*| N/A| N/A| N/A| N/A| ✓| ✓| N/A| N/A| N/A| N/A +[CVE-2022-24834](https://www.cve.org/CVERecord?id=CVE-2022-24834)*| N/A| N/A| ✓| ✓| ✓| ✓| ✓| ✓| ✓| ✓ +[CVE-2021-41099](https://www.cve.org/CVERecord?id=CVE-2021-41099)*| N/A| N/A| N/A| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-32762](https://www.cve.org/CVERecord?id=CVE-2021-32762)*| N/A| N/A| N/A| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-32761](https://www.cve.org/CVERecord?id=CVE-2021-32761)*| N/A| N/A| N/A| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-32687](https://www.cve.org/CVERecord?id=CVE-2021-32687)*| N/A| N/A| N/A| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-32675](https://www.cve.org/CVERecord?id=CVE-2021-32675)*| N/A| N/A| N/A| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-32672](https://www.cve.org/CVERecord?id=CVE-2021-32672)*| N/A| N/A| N/A| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-32628](https://www.cve.org/CVERecord?id=CVE-2021-32628)*| N/A| N/A| N/A| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-32627](https://www.cve.org/CVERecord?id=CVE-2021-32627)*| N/A| N/A| N/A| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-32626](https://www.cve.org/CVERecord?id=CVE-2021-32626)*| N/A| N/A| N/A| ✓| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-32625](https://www.cve.org/CVERecord?id=CVE-2021-32625)*| N/A| N/A| N/A| N/A| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-29478](https://www.cve.org/CVERecord?id=CVE-2021-29478)*| N/A| N/A| N/A| N/A| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-29477](https://www.cve.org/CVERecord?id=CVE-2021-29477)*| N/A| N/A| N/A| N/A| ✓| ✓| ✓| ✓| N/A| N/A +[CVE-2021-21309](https://www.cve.org/CVERecord?id=CVE-2021-21309)*| N/A| N/A| N/A| N/A| ✓| ✓| ✓| ✓| N/A| N/A + +## CVEs that do not affect Amazon ElastiCache + +The following CVEs do not affect Amazon ElastiCache for Valkey or Redis OSS. + + * [CVE-2026-21864](https://www.cve.org/CVERecord?id=CVE-2026-21864) + + * [CVE-2026-21863](https://www.cve.org/CVERecord?id=CVE-2026-21863) + + * [CVE-2024-51741](https://www.cve.org/CVERecord?id=CVE-2024-51741) + + * [CVE-2023-45145](https://www.cve.org/CVERecord?id=CVE-2023-45145) + + * [CVE-2023-28856](https://www.cve.org/CVERecord?id=CVE-2023-28856) + + * [CVE-2022-24736](https://www.cve.org/CVERecord?id=CVE-2022-24736) + + * [CVE-2022-24735](https://www.cve.org/CVERecord?id=CVE-2022-24735) @@ -24,10 +80,0 @@ You can use the following table to verify whether a particular version of Elasti -ElastiCache version | CVEs Addressed ----|--- -Valkey 8.1 and all previous versions of Valkey Redis OSS 7.1 and all previous versions of Redis OSS | [CVE-2025-49844](https://www.cve.org/CVERecord?id=CVE-2025-49844)*, [CVE-2025-46817](https://www.cve.org/CVERecord?id=CVE-2025-46817)*, [CVE-2025-46818](https://www.cve.org/CVERecord?id=CVE-2025-46818)*, [CVE-2025-46819](https://www.cve.org/CVERecord?id=CVE-2025-46819)* -Valkey 7.2 and 7.3 | [CVE-2025-21607](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21607)*, [CVE-2025-21605](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21605)*, [CVE-2024-31449](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31449)*, [CVE-2024-31227](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31227)*, [CVE-2024-31228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31228)* -Valkey 7.2.7 | [CVE-2024-51741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-51741) -Redis OSS 7.1 and 6.2 | [CVE-2025-21605](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21605)*, [CVE-2024-31449](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31449)*, [CVE-2024-31227](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31227)*, [CVE-2024-31228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31228)*, [CVE-2023-41056](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41056) -Redis OSS 7.0.7 | [CVE-2023-41056](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41056)* -Redis OSS 6.2.7 | [CVE-2024-46981](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46981) -Redis OSS 6.2.6 | [CVE-2022-24834](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24834)*, [CVE-2022-35977](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35977)*, [CVE-2022-36021](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36021)*, [CVE-2023-22458](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22458), [CVE-2023-25155](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25155), [CVE-2023-28856](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28856) [CVE-2023-45145](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45145): Note that this CVE has been addressed in Redis OSS 6.2 and 7.0 but not in Redis OSS 7.1. -Redis OSS 6.0.5 | [CVE-2022-24735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24735)*, [CVE-2022-24736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24736)*