From 236d9f31bdae078d08d637c6be575f50528492c0 Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Fri, 9 Mar 2018 19:55:13 +0100 Subject: [PATCH] [CVE-2018-1000115] memcached: restrict to TCP & localhost https://access.redhat.com/security/cve/cve-2018-1000115 Restrict Memcached to only work on TCP and localhost. The restriction is made at the application and firewall levels. It will prevent DDoS amplification attacks using memcached. Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2 Related-Bug: #1754607 (cherry picked from commit 74fc85c507fc298828797c51255cee059a9684fc) --- .../puppet-stack-config/puppet-stack-config.yaml.template | 4 ++++ releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml diff --git a/elements/puppet-stack-config/puppet-stack-config.yaml.template b/elements/puppet-stack-config/puppet-stack-config.yaml.template index dc5005cce..e5a7ff7b5 100644 --- a/elements/puppet-stack-config/puppet-stack-config.yaml.template +++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template @@ -34,6 +34,8 @@ certmonger_ca: {{CERTIFICATE_GENERATION_CA}} # Workaround for puppet deleting _member_ role assignment on old deployments member_role_exists: {{MEMBER_ROLE_EXISTS}} +memcached::listen_ip: '127.0.0.1' +memcached::udp_port: 0 # Common Hiera data gets applied to all nodes ssh::server::storeconfigs_enabled: false @@ -664,6 +666,8 @@ tripleo::firewall::firewall_rules: dport: 3260 '121 memcached': dport: 11211 + proto: tcp + source: '127.0.0.1' '122 swift proxy': dport: - 8080 diff --git a/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml b/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml new file mode 100644 index 000000000..8256af22a --- /dev/null +++ b/releasenotes/notes/memcached_hardening-3d6984c9b6e5f3f3.yaml @@ -0,0 +1,4 @@ +--- +security: + - | + Restrict memcached service to TCP and localhost network (CVE-2018-1000115).