[CVE-2018-1000115] memcached: restrict to TCP & localhost
https://access.redhat.com/security/cve/cve-2018-1000115
Restrict Memcached to only work on TCP and localhost.
The restriction is made at the application and firewall levels.
It will prevent DDoS amplification attacks using memcached.
Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2
Related-Bug: #1754607
(cherry picked from commit 74fc85c507
)
This commit is contained in:
parent
f54480990b
commit
236d9f31bd
|
@ -34,6 +34,8 @@ certmonger_ca: {{CERTIFICATE_GENERATION_CA}}
|
|||
# Workaround for puppet deleting _member_ role assignment on old deployments
|
||||
member_role_exists: {{MEMBER_ROLE_EXISTS}}
|
||||
|
||||
memcached::listen_ip: '127.0.0.1'
|
||||
memcached::udp_port: 0
|
||||
|
||||
# Common Hiera data gets applied to all nodes
|
||||
ssh::server::storeconfigs_enabled: false
|
||||
|
@ -664,6 +666,8 @@ tripleo::firewall::firewall_rules:
|
|||
dport: 3260
|
||||
'121 memcached':
|
||||
dport: 11211
|
||||
proto: tcp
|
||||
source: '127.0.0.1'
|
||||
'122 swift proxy':
|
||||
dport:
|
||||
- 8080
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
Restrict memcached service to TCP and localhost network (CVE-2018-1000115).
|
Loading…
Reference in New Issue