From eaf77cb09c72fd1a9205c7a3266b99d6ce49d827 Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Fri, 9 Mar 2018 11:22:37 +0100 Subject: [PATCH] [CVE-2018-1000115] memcached: restrict to TCP & internal_api network https://access.redhat.com/security/cve/cve-2018-1000115 Restrict Memcached to only work on TCP and internal_api network. The restriction is made at the application and firewall levels. It will prevent DDoS amplification attacks using memcached. Change-Id: I8fb81d7f3938b04ff7652e30de35a1ec23ae723d Related-Bug: #1754607 --- puppet/services/memcached.yaml | 27 +++++++++++++++++++ .../memcached_hardening-2529734099da27f4.yaml | 4 +++ 2 files changed, 31 insertions(+) create mode 100644 releasenotes/notes/memcached_hardening-2529734099da27f4.yaml diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml index 756543211e..ab11a6336b 100644 --- a/puppet/services/memcached.yaml +++ b/puppet/services/memcached.yaml @@ -49,8 +49,16 @@ parameters: type: string constraints: - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] + MemcachedIpSubnet: + default: '' + description: IP address/subnet on the memcached network. If empty (default), MemcachedNetwork + will be taken. Useful in the case where an operator wants to open Memcached outside + of the internal network. Use this parameter with caution and be aware of + opening memcached to external network can be dangerous. + type: string conditions: + memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']} service_debug: or: - equals: [{get_param: MemcachedDebug}, 'true'] @@ -64,6 +72,11 @@ outputs: service_name: memcached monitoring_subscription: {get_param: MonitoringSubscriptionMemcached} config_settings: + memcached_network: + str_replace: + template: "NETWORK_subnet" + params: + NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} # NOTE: bind IP is found in hiera replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP @@ -76,6 +89,9 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} memcached::max_memory: {get_param: MemcachedMaxMemory} + # https://access.redhat.com/security/cve/cve-2018-1000115 + # Only accept TCP to avoid spoofed traffic amplification DoS on UDP. + memcached::udp_port: 0 memcached::verbosity: list_join: - '' @@ -87,6 +103,17 @@ outputs: tripleo.memcached.firewall_rules: '121 memcached': dport: 11211 + # https://access.redhat.com/security/cve/cve-2018-1000115 + # Only accept TCP to avoid spoofed traffic amplification DoS on UDP. + proto: 'tcp' + # Memcached traffic shouldn't be open on the internet. + # Even if binding is configured on internal_api network, enforce it + # via firewall as well. + source: + if: + - memcached_network_unset + - "%{hiera('memcached_network')}" + - {get_param: MemcachedIpSubnet} step_config: | include ::tripleo::profile::base::memcached service_config_settings: diff --git a/releasenotes/notes/memcached_hardening-2529734099da27f4.yaml b/releasenotes/notes/memcached_hardening-2529734099da27f4.yaml new file mode 100644 index 0000000000..daf2f3b978 --- /dev/null +++ b/releasenotes/notes/memcached_hardening-2529734099da27f4.yaml @@ -0,0 +1,4 @@ +--- +security: + - | + Restrict memcached service to TCP and internal_api network (CVE-2018-1000115).