Carbon Black EDR Server Security Advisory for CVE-2025-49844
Summary
Carbon Black Endpoint Detection and Response Server includes versions of Redis affected by CVE-2025-49844 (Redishell). The Redis port is not normally exposed in CB EDR Server installation, but this advisory includes information on how to address the vulnerability.
Affected Product(s)
|
Carbon Black EDR Server |
||
|
CVE |
Affected Version(s) |
Remediation |
|
CVE-2025-49844 |
All Versions |
Upgrade to the 7.9.0 release of the EDR Server or apply the provided workaround. |
Solution & Additional Information
The following product update has been made available to customers to resolve this issue:
- CB EDR 7.9.0
Follow the steps from from How to Upgrade an On-Prem Stand-Alone Server to the Latest Version and if applicable Upgrade a Clustered Server and Upgrade a Server (for Unified View).
During the upgrade you may see the following message:
--------------------------------------------------------------------------------
RECONCILE CONFIGURATION FILE CHANGES
--------------------------------------------------------------------------------
The installer has detected local changes in the following configuration
files:
/etc/cb/redis.conf.template
To ensure that the local changes are not lost, the installer placed updated
configuration files with the extension .rpmnew next to the modified files listed above.
Please manually reconcile the existing configuration files with the .rpmne
files and then remove the .rpmnew files. When all the changes are reconciled,
re-run cbupgrade to complete the upgrade.
Note: Due to availability of Redis OS distributables, the 7.9.0 release does not include a new version of Redis. This will be delivered with an upcoming EDR Server release as soon as a new version including the fix is available from Red Hat.
Workaround
Follow the steps below if an upgrade is not possible at this time. These changes must be applied on all the nodes of a CB EDR cluster if CB EDR is configured in Cluster Mode/Unified View mode.
For existing EL7 and EL8 RPM based installations, customers will need to follow the steps below to disable Redis Lua scripting commands (EVAL and EVALSHA) as a security measure:
- Navigate to the following file: /etc/cb/redis.conf.template
- Add the following lines at the end of the file:
rename-command EVAL ""
rename-command EVALSHA ""
- Restart the EDR Server services
- Validate that the commands are disabled by running the following in a terminal:
(for cmd in EVAL EVALSHA; do echo "$cmd:"; redis-cli $cmd "return 1" 0 2>&1; done)
Expected output:
EVAL:
(error) ERR unknown command 'EVAL', with args beginning with: 'return 1' '0'
EVALSHA:
(error) ERR unknown command 'EVALSHA', with args beginning with: 'return 1' '0'
Containerized Installations
For container installations of CB EDR Server, the template file is not mounted to the host system, so restarting the EDR services will overwrite the changes and above commands will not work. These customers will need to upgrade to EDR Server 7.9.0, where the changes are already included.
Mitigations
Firewall Configuration
Carbon Black EDR Server does not require Redis to be externally exposed for it to function. As such, customers should ensure the firewall only allows access to the Redis port 6379 locally or from cluster nodes.
Redis Hardening
Additional steps to secure the Redis server can be found in the following knowledgebase section: Securing Redis
References