[CVE-2018-1000115] memcached: restrict to TCP & internal_api network

https://access.redhat.com/security/cve/cve-2018-1000115

Restrict Memcached to only work on TCP and internal_api network.
The restriction is made at the application and firewall levels.
It will prevent DDoS amplification attacks using memcached.

Change-Id: I8fb81d7f3938b04ff7652e30de35a1ec23ae723d
Related-Bug: #1754607
This commit is contained in:
Emilien Macchi 2018-03-09 11:22:37 +01:00
parent 3eb0c62e47
commit eaf77cb09c
2 changed files with 31 additions and 0 deletions

View File

@ -49,8 +49,16 @@ parameters:
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
MemcachedIpSubnet:
default: ''
description: IP address/subnet on the memcached network. If empty (default), MemcachedNetwork
will be taken. Useful in the case where an operator wants to open Memcached outside
of the internal network. Use this parameter with caution and be aware of
opening memcached to external network can be dangerous.
type: string
conditions:
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
service_debug:
or:
- equals: [{get_param: MemcachedDebug}, 'true']
@ -64,6 +72,11 @@ outputs:
service_name: memcached
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
config_settings:
memcached_network:
str_replace:
template: "NETWORK_subnet"
params:
NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
@ -76,6 +89,9 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
memcached::max_memory: {get_param: MemcachedMaxMemory}
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
memcached::udp_port: 0
memcached::verbosity:
list_join:
- ''
@ -87,6 +103,17 @@ outputs:
tripleo.memcached.firewall_rules:
'121 memcached':
dport: 11211
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
proto: 'tcp'
# Memcached traffic shouldn't be open on the internet.
# Even if binding is configured on internal_api network, enforce it
# via firewall as well.
source:
if:
- memcached_network_unset
- "%{hiera('memcached_network')}"
- {get_param: MemcachedIpSubnet}
step_config: |
include ::tripleo::profile::base::memcached
service_config_settings:

View File

@ -0,0 +1,4 @@
---
security:
- |
Restrict memcached service to TCP and internal_api network (CVE-2018-1000115).