OpenStack Compute (nova)

11211 port for memcached is not certified

Bug #1691662 reported by YuanQingbo on 2017-05-18

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Expired	Undecided	Unassigned
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

After the user logs in to the openstack node, the data stored in memcached can be obtained with the command "memcached-tool 172.28.8.6: 11211 dump", and no authentication is required.

Tags:

Revision history for this message

Matt Riedemann (mriedem) wrote on 2017-05-26:

#1

Isn't this a limitation in memcached instead of nova?

information type:

Public → Private Security

Revision history for this message

Sean Dague (sdague) wrote on 2017-05-26:

#2

This needs more explaination of the topology of the whole environment. memcached needs to be configured so that only the actual services consuming it have access (typically by only binding to localhost or being network fenced).

Changed in nova:
status:	New → Incomplete

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2017-05-26:

#3

I concur with what Sean said.

I'd classify this as a documentation bug (at most) and a Class E https://security.openstack.org/vmt-process.html#incident-report-taxonomy.

description:	updated
Changed in ossa:
status:	New → Incomplete

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2017-05-26:

#4

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-07-26:

#5

[Expired for OpenStack Compute (nova) because there has been no activity for 60 days.]

Changed in nova:
status:	Incomplete → Expired

Jeremy Stanley (fungi) on 2017-07-26

information type:	Private Security → Public
description:	updated
Changed in ossa:
status:	Incomplete → Won't Fix
tags:	added: security

Revision history for this message

Jeremy Stanley (fungi) wrote on 2017-07-26:

#6

Since this was originally opened as Public there wasn't much point in switching it to Private Security once all the nova bug subscribers were notified of it, so I've set it back to Public.

At this point, what consensus there is seems to be that this is an issue which should be corrected in documentation and/or a concern with memcached rather than any OpenStack software. It probably falls into either report class B2 (A vulnerability without a complete fix yet, security note for all versions, e.g., poor architecture / design) or C2 (A vulnerability, but not in OpenStack supported code, e.g., in a dependency) in our taxonomy, and so should not need an advisory: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Revision history for this message

Luke Hinds (lhinds) wrote on 2017-07-26:

#7

as sdague states, memcached should not be listening on any sort of public interface, and this is covered in docs already:

https://docs.openstack.org/newton/install-guide-rdo/environment-memcached.html

Revision history for this message

Luke Hinds (lhinds) wrote on 2017-07-26:

#8

just noticed the above was for RDO, however its the same for all dists:

https://docs.openstack.org/install-guide/environment-memcached-ubuntu.html

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.