[CVE-2018-1000115] memcached: restrict to TCP & internal_api network

https://access.redhat.com/security/cve/cve-2018-1000115 Restrict Memcached to only work on TCP and internal_api network. The restriction is made at the application and firewall levels. It will prevent DDoS amplification attacks using memcached. Change-Id: I8fb81d7f3938b04ff7652e30de35a1ec23ae723d Related-Bug: #1754607 (cherry picked from commit 1d16ceb5fb)
2018-03-09 11:22:37 +01:00 · 2018-03-09 11:22:37 +01:00 · 8fb9ff784d
parent a2d529e108
commit 8fb9ff784d
2 changed files with 31 additions and 0 deletions
--- a/puppet/services/memcached.yaml
+++ b/puppet/services/memcached.yaml
@ -49,8 +49,16 @@ parameters:
    type: string
    constraints:
      - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
+  MemcachedIpSubnet:
+    default: ''
+    description: IP address/subnet on the memcached network. If empty (default), MemcachedNetwork
+                 will be taken. Useful in the case where an operator wants to open Memcached outside
+                 of the internal network. Use this parameter with caution and be aware of
+                 opening memcached to external network can be dangerous.
+    type: string

 conditions:
+  memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
  service_debug:
    or:
      - equals: [{get_param: MemcachedDebug}, 'true']
@ -64,6 +72,11 @@ outputs:
      service_name: memcached
      monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
      config_settings:
+        memcached_network:
+          str_replace:
+            template: "NETWORK_subnet"
+            params:
+              NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
        # NOTE: bind IP is found in Heat replacing the network name with the local node IP
        # for the given network; replacement examples (eg. for internal_api):
        # internal_api -> IP
@ -71,6 +84,9 @@ outputs:
        # internal_api_subnet - > IP/CIDR
        memcached::listen_ip: {get_param: [ServiceNetMap, MemcachedNetwork]}
        memcached::max_memory: {get_param: MemcachedMaxMemory}
+        # https://access.redhat.com/security/cve/cve-2018-1000115
+        # Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
+        memcached::udp_port: 0
        memcached::verbosity:
          list_join:
            - ''
@ -82,6 +98,17 @@ outputs:
        tripleo.memcached.firewall_rules:
          '121 memcached':
            dport: 11211
+            # https://access.redhat.com/security/cve/cve-2018-1000115
+            # Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
+            proto: 'tcp'
+            # Memcached traffic shouldn't be open on the internet.
+            # Even if binding is configured on internal_api network, enforce it
+            # via firewall as well.
+            source:
+              if:
+              - memcached_network_unset
+              - "%{hiera('memcached_network')}"
+              - {get_param: MemcachedIpSubnet}
      step_config: |
        include ::tripleo::profile::base::memcached
      service_config_settings:
--- a/releasenotes/notes/memcached_hardening-2529734099da27f4.yaml
+++ b/releasenotes/notes/memcached_hardening-2529734099da27f4.yaml
@ -0,0 +1,4 @@
+---
+security:
+  - |
+    Restrict memcached service to TCP and internal_api network (CVE-2018-1000115).