[CVE-2018-1000115] memcached: restrict to TCP & internal_api network
https://access.redhat.com/security/cve/cve-2018-1000115
Restrict Memcached to only work on TCP and internal_api network.
The restriction is made at the application and firewall levels.
It will prevent DDoS amplification attacks using memcached.
Change-Id: I8fb81d7f3938b04ff7652e30de35a1ec23ae723d
Related-Bug: #1754607
(cherry picked from commit 1d16ceb5fb
)
This commit is contained in:
parent
a2d529e108
commit
8fb9ff784d
@ -49,8 +49,16 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
constraints:
|
constraints:
|
||||||
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
||||||
|
MemcachedIpSubnet:
|
||||||
|
default: ''
|
||||||
|
description: IP address/subnet on the memcached network. If empty (default), MemcachedNetwork
|
||||||
|
will be taken. Useful in the case where an operator wants to open Memcached outside
|
||||||
|
of the internal network. Use this parameter with caution and be aware of
|
||||||
|
opening memcached to external network can be dangerous.
|
||||||
|
type: string
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
|
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
|
||||||
service_debug:
|
service_debug:
|
||||||
or:
|
or:
|
||||||
- equals: [{get_param: MemcachedDebug}, 'true']
|
- equals: [{get_param: MemcachedDebug}, 'true']
|
||||||
@ -64,6 +72,11 @@ outputs:
|
|||||||
service_name: memcached
|
service_name: memcached
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
||||||
config_settings:
|
config_settings:
|
||||||
|
memcached_network:
|
||||||
|
str_replace:
|
||||||
|
template: "NETWORK_subnet"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
|
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
|
||||||
# for the given network; replacement examples (eg. for internal_api):
|
# for the given network; replacement examples (eg. for internal_api):
|
||||||
# internal_api -> IP
|
# internal_api -> IP
|
||||||
@ -71,6 +84,9 @@ outputs:
|
|||||||
# internal_api_subnet - > IP/CIDR
|
# internal_api_subnet - > IP/CIDR
|
||||||
memcached::listen_ip: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
memcached::listen_ip: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
memcached::max_memory: {get_param: MemcachedMaxMemory}
|
memcached::max_memory: {get_param: MemcachedMaxMemory}
|
||||||
|
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||||
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||||
|
memcached::udp_port: 0
|
||||||
memcached::verbosity:
|
memcached::verbosity:
|
||||||
list_join:
|
list_join:
|
||||||
- ''
|
- ''
|
||||||
@ -82,6 +98,17 @@ outputs:
|
|||||||
tripleo.memcached.firewall_rules:
|
tripleo.memcached.firewall_rules:
|
||||||
'121 memcached':
|
'121 memcached':
|
||||||
dport: 11211
|
dport: 11211
|
||||||
|
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||||
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||||
|
proto: 'tcp'
|
||||||
|
# Memcached traffic shouldn't be open on the internet.
|
||||||
|
# Even if binding is configured on internal_api network, enforce it
|
||||||
|
# via firewall as well.
|
||||||
|
source:
|
||||||
|
if:
|
||||||
|
- memcached_network_unset
|
||||||
|
- "%{hiera('memcached_network')}"
|
||||||
|
- {get_param: MemcachedIpSubnet}
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::memcached
|
include ::tripleo::profile::base::memcached
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Restrict memcached service to TCP and internal_api network (CVE-2018-1000115).
|
Loading…
Reference in New Issue
Block a user