diff --git a/elements/puppet-stack-config/puppet-stack-config.yaml.template b/elements/puppet-stack-config/puppet-stack-config.yaml.template
index 78203f3c4..104802359 100644
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@@ -36,6 +36,8 @@ ssh::server::storeconfigs_enabled: false
 memcached::max_memory: '50%'
 memcached::verbosity: 'v'
 memcached::disable_cachedump: true
+memcached::listen_ip: '127.0.0.1'
+memcached::udp_port: 0
 
 # Apache
 apache::server_signature: 'Off'
@@ -967,6 +969,8 @@ tripleo::firewall::firewall_rules:
     dport: 3260
   '121 memcached':
     dport: 11211
+    proto: tcp
+    source: '127.0.0.1'
   '122 swift proxy':
     dport:
       - 8080
diff --git a/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml b/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml
new file mode 100644
index 000000000..8256af22a
--- /dev/null
+++ b/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml
@@ -0,0 +1,4 @@
+---
+security:
+  - |
+    Restrict memcached service to TCP and localhost network (CVE-2018-1000115).