[CVE-2018-1000115] memcached: restrict to TCP & localhost

https://access.redhat.com/security/cve/cve-2018-1000115 Restrict Memcached to only work on TCP and localhost. The restriction is made at the application and firewall levels. It will prevent DDoS amplification attacks using memcached. Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2 Related-Bug: #1754607 (cherry picked from commit 74fc85c507)
2018-03-09 19:55:13 +01:00 · 2018-03-09 19:55:13 +01:00 · 236d9f31bd
parent f54480990b
commit 236d9f31bd
2 changed files with 8 additions and 0 deletions
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@ -34,6 +34,8 @@ certmonger_ca: {{CERTIFICATE_GENERATION_CA}}
 # Workaround for puppet deleting _member_ role assignment on old deployments
 member_role_exists: {{MEMBER_ROLE_EXISTS}}

+memcached::listen_ip: '127.0.0.1'
+memcached::udp_port: 0

 # Common Hiera data gets applied to all nodes
 ssh::server::storeconfigs_enabled: false
@ -664,6 +666,8 @@ tripleo::firewall::firewall_rules:
    dport: 3260
  '121 memcached':
    dport: 11211
+    proto: tcp
+    source: '127.0.0.1'
  '122 swift proxy':
    dport:
      - 8080
--- a/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml
+++ b/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml
@ -0,0 +1,4 @@
+---
+security:
+  - |
+    Restrict memcached service to TCP and localhost network (CVE-2018-1000115).