An out-of-date version of Redis shipped with NI SystemLink Server is susceptible to multiple vulnerabilities, including CVE-2022-24834. This affects NI SystemLink Server 2024 Q1 and prior versions. It also affects NI FlexLogger 2023 Q2 and prior versions which installed this shared service.
Updating the software to fix against this vulnerability is tracked as CVE-2024-6121.
NI strongly recommends upgrading the affected software to address this vulnerability. Refer to the Affected Products section to download the update.
FlexLogger versions 2023 Q3 and later no longer depend on the NI SystemLink KeyValue Database Service, which includes Redis. To remove Redis from an older FlexLogger system after upgrade:
CVE-2024-6121 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.
| Product Version | Mitigation |
|---|---|
| SystemLink Server 2024 Q1 and prior versions | Upgrade to SystemLink Server 2024 Q1 Patch 2 or later via NI Package Manager or from Software Downloads |
| FlexLogger 2023 Q2 and prior versions | If NI SystemLink Server is installed: Upgrade to SystemLink Server 2024 Q1 Patch 2 or later via NI Package Manager or from Software Downloads If NI SystemLink Server is not installed:
|