[CVE-2018-1000115] memcached: restrict to TCP & localhost

https://access.redhat.com/security/cve/cve-2018-1000115 Restrict Memcached to only work on TCP and localhost. The restriction is made at the application and firewall levels. It will prevent DDoS amplification attacks using memcached. Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2 Related-Bug: #1754607
2018-03-09 19:55:13 +01:00 · 2018-03-09 19:55:13 +01:00 · a52ba3e9a7
parent dace40ef2d
commit a52ba3e9a7
2 changed files with 8 additions and 0 deletions
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@ -36,6 +36,8 @@ ssh::server::storeconfigs_enabled: false
 memcached::max_memory: '50%'
 memcached::verbosity: 'v'
 memcached::disable_cachedump: true
+memcached::listen_ip: '127.0.0.1'
+memcached::udp_port: 0

 # Apache
 apache::server_signature: 'Off'
@ -966,6 +968,8 @@ tripleo::firewall::firewall_rules:
    dport: 3260
  '121 memcached':
    dport: 11211
+    proto: tcp
+    source: '127.0.0.1'
  '122 swift proxy':
    dport:
      - 8080
--- a/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml
+++ b/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml
@ -0,0 +1,4 @@
+---
+security:
+  - |
+    Restrict memcached service to TCP and localhost network (CVE-2018-1000115).