Redis vulnerability, is Checkmk affected?

AndreHH · October 8, 2025, 6:59am

Hi,

I was wondering if Checkmk is in any way affected by the redis vulnerability (Security Advisory: CVE-2025-49844 | Redis)
I couldn’t find anything about it and it looks like a fix is no part of the security patches planned for tomorrow.
I just know that Checkmk uses a side process called redis but what exacly it does or if it could be affected by the newly discovered redis vulnerability I have no idea of.

So it would just be nice to know checkmk redis is not affected by the vulnerability.

Thanks and best regards
Andre

martin.hirschvogel · October 8, 2025, 11:47am

Hi, we are looking into this.

professional_prutser · October 8, 2025, 1:08pm

Up to (excluding) 6.2.20

https://nvd.nist.gov/vuln/detail/CVE-2025-49844

on my CheckMK installation:

$ /opt/omd/versions/2.4.0p12.cre/bin/redis-server  --version
Redis server v=6.2.6 sha=00000000:0 malloc=jemalloc-5.1.0 bits=64 build=f35771a09122ad2e

doesn’t look good

6.2 EoL per February 28, 2025

doesn’t look good at all

martin.hirschvogel · October 8, 2025, 1:15pm

We looked into the the vulnerability and determined that our product is not affected.

professional_prutser · October 28, 2025, 9:45am

OMD[poller]:~$ /opt/omd/versions/2.4.0p14.cre/bin/redis-server  --version
Redis server v=6.2.20 sha=00000000:0 malloc=jemalloc-5.1.0 bits=64 build=d6356033b300aa4f

Looks like it’s updated from 6.2.6 to 6.2.20 !

But somehow it’s not in the release notes;

Saying your product isn’t vulnerable and then silently patching it, does look a bit suspicious to me.

martin.hirschvogel · October 28, 2025, 1:01pm

Only user facing changes are documented via werks. This is not always done consistently though.
If we document each change in Checkmk, then you will be drowned in non-valuable information.

The good thing: you can read all changes in Checkmk here:

So, we are not hiding anything No need to do so. Have fun reading the 200+ commits per week. In the week of Sept 7th, there were 752 commits. So, enjoy.

Updating dependencies is something we do on a regular basis.
Example: cmk-frontend: update dependencies · Checkmk/checkmk@5d46fb9 · GitHub
You search for “bump”, “update”, “dependencies” in the commits.
Or search the respective bazel module files or packages.json for stuff like npm.

professional_prutser · October 28, 2025, 6:21pm

found it Commit b33f5b4

Too bad it has no “valuable information” like why is was updated and why this version was chosen.

Updating dependencies is something we do on a regular basis.

Don’t pat yourself too hard on the shoulder, redis 6.2.6 was released four years ago, and the very first update in CheckMK (to 6.2.20) was done after @AndreHH started this topic and four weeks after the critical CVE.

nuff said

andreas-doehler · October 28, 2025, 6:49pm

This you can answer yourself with a look at the redis Github repo.
The 6.2.20 is the version that fixed your mentioned CVE.
6.2.20 release date 3.10.25 // CMK Github commit 14.10.25
That is not so bad for a problem you cannot have on your system.