diff --git a/elements/puppet-stack-config/puppet-stack-config.yaml.template b/elements/puppet-stack-config/puppet-stack-config.yaml.template
index dc5005cce..e5a7ff7b5 100644
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@@ -34,6 +34,8 @@ certmonger_ca: {{CERTIFICATE_GENERATION_CA}}
 # Workaround for puppet deleting _member_ role assignment on old deployments
 member_role_exists: {{MEMBER_ROLE_EXISTS}}
 
+memcached::listen_ip: '127.0.0.1'
+memcached::udp_port: 0
 
 # Common Hiera data gets applied to all nodes
 ssh::server::storeconfigs_enabled: false
@@ -664,6 +666,8 @@ tripleo::firewall::firewall_rules:
     dport: 3260
   '121 memcached':
     dport: 11211
+    proto: tcp
+    source: '127.0.0.1'
   '122 swift proxy':
     dport:
       - 8080
diff --git a/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml b/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml
new file mode 100644
index 000000000..8256af22a
--- /dev/null
+++ b/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml
@@ -0,0 +1,4 @@
+---
+security:
+  - |
+    Restrict memcached service to TCP and localhost network (CVE-2018-1000115).