Title

Redis Enterprise DBMS must prevent unauthorized and unintended information transfer via shared system resources. (Cat II impact)

Discussion

The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. For more information, refer to: https://redis.io/topics/acl more information on creating clearly defined categories and adding/editing users to categories and ACLs. and https://docs.redislabs.com/latest/rs/administering/access-control/user-roles/

Check Content

Verify all returned users with security permissions are documented as requiring the permissions. In the web UI, select access control >> Redis acls. Verify that the documented users have the correct ACL(s) assigned to them by clicking the "Used By" link for each listed ACL. Verify that all documented ACLs match each of the listed ACLs. If "Redis ACL name" and "Used By" do not match the documentation, this is a finding.

Fix Text

Users and ACLs can be created and modified from the Redis Enterprise UI by navigating to the access control tab as an admin user. Update the user roles and ACLs to reflect organizational requirements.

Additional Identifiers

Rule ID: SV-251246r879649_rule

Vulnerability ID: V-251246

Group Title: SRG-APP-000243-DB-000373

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.