tripleo

CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS

Bug #1754607 reported by Emilien Macchi
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Emilien Macchi
tripleo rocky-1

Bug Description

https://access.redhat.com/security/cve/cve-2018-1000115

Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported by reliable sources). This attack appear to be exploitable via network connectivity to port 11211 UDP. This vulnerability appears to have been fixed in 1.5.6 due to the disabling of the UDP protocol by default.

It affects TripleO and the way we configure Memcached, we need to harden it following Red Hat recommendations:

- Configure a firewall (already done, but we need to restrict traffic on TCP only and on internal network only).
- Disable UDP
- Restrict memcached to localhost (we can't do that since OpenStack services can run on other nodes).

Details of the solution can be found here: https://access.redhat.com/solutions/3369081

See original description

CVE References

Emilien Macchi (emilienm)
Changed in tripleo:
status: Triaged → In Progress
Emilien Macchi (emilienm)
description: updated
Revision history for this message
Emilien Macchi (emilienm) wrote :
Revision history for this message
Juan Antonio Osorio Robles (juan-osorio-robles) wrote :

The patch LGTM

Emilien Macchi (emilienm)
tags: added: newton-backport-potential ocata-backport-potential pike-backport-potential
tags: added: queens-backport-potential
Emilien Macchi (emilienm)
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to instack-undercloud (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/551353

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/551380

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/pike)

Related fix proposed to branch: stable/pike
Review: https://review.openstack.org/551382

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/ocata)

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/551385

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/newton)

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/551387

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to instack-undercloud (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/551388

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to instack-undercloud (stable/pike)

Related fix proposed to branch: stable/pike
Review: https://review.openstack.org/551389

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to instack-undercloud (stable/ocata)

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/551390

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to instack-undercloud (stable/newton)

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/551393

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to instack-undercloud (stable/newton)

Reviewed: https://review.openstack.org/551393
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=236d9f31bdae078d08d637c6be575f50528492c0
Submitter: Zuul
Branch: stable/newton

commit 236d9f31bdae078d08d637c6be575f50528492c0
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 9 19:55:13 2018 +0100

    [CVE-2018-1000115] memcached: restrict to TCP & localhost

    https://access.redhat.com/security/cve/cve-2018-1000115

    Restrict Memcached to only work on TCP and localhost.
    The restriction is made at the application and firewall levels.
    It will prevent DDoS amplification attacks using memcached.

    Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2
    Related-Bug: #1754607
    (cherry picked from commit 74fc85c507fc298828797c51255cee059a9684fc)

tags: added: in-stable-newton
tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to instack-undercloud (stable/ocata)

Reviewed: https://review.openstack.org/551390
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=5a8cf394818df8e1c31f048be05e046df0b2c555
Submitter: Zuul
Branch: stable/ocata

commit 5a8cf394818df8e1c31f048be05e046df0b2c555
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 9 19:55:13 2018 +0100

    [CVE-2018-1000115] memcached: restrict to TCP & localhost

    https://access.redhat.com/security/cve/cve-2018-1000115

    Restrict Memcached to only work on TCP and localhost.
    The restriction is made at the application and firewall levels.
    It will prevent DDoS amplification attacks using memcached.

    Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2
    Related-Bug: #1754607
    (cherry picked from commit 74fc85c507fc298828797c51255cee059a9684fc)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to instack-undercloud (stable/pike)

Reviewed: https://review.openstack.org/551389
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=eff22b403af2a1c1a011d995ec1e58729ed41b36
Submitter: Zuul
Branch: stable/pike

commit eff22b403af2a1c1a011d995ec1e58729ed41b36
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 9 19:55:13 2018 +0100

    [CVE-2018-1000115] memcached: restrict to TCP & localhost

    https://access.redhat.com/security/cve/cve-2018-1000115

    Restrict Memcached to only work on TCP and localhost.
    The restriction is made at the application and firewall levels.
    It will prevent DDoS amplification attacks using memcached.

    Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2
    Related-Bug: #1754607
    (cherry picked from commit 74fc85c507fc298828797c51255cee059a9684fc)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to instack-undercloud (master)

Reviewed: https://review.openstack.org/551353
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=a52ba3e9a7359a31abce0bba6b00f907ca85a3fa
Submitter: Zuul
Branch: master

commit a52ba3e9a7359a31abce0bba6b00f907ca85a3fa
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 9 19:55:13 2018 +0100

    [CVE-2018-1000115] memcached: restrict to TCP & localhost

    https://access.redhat.com/security/cve/cve-2018-1000115

    Restrict Memcached to only work on TCP and localhost.
    The restriction is made at the application and firewall levels.
    It will prevent DDoS amplification attacks using memcached.

    Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2
    Related-Bug: #1754607

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/newton)

Reviewed: https://review.openstack.org/551387
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=067941d21132db2c1fd2c51cc267af3dbcf49622
Submitter: Zuul
Branch: stable/newton

commit 067941d21132db2c1fd2c51cc267af3dbcf49622
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 9 11:22:37 2018 +0100

    [CVE-2018-1000115] memcached: restrict to TCP & internal_api network

    https://access.redhat.com/security/cve/cve-2018-1000115

    Restrict Memcached to only work on TCP and internal_api network.
    The restriction is made at the application and firewall levels.
    It will prevent DDoS amplification attacks using memcached.

    Change-Id: I8fb81d7f3938b04ff7652e30de35a1ec23ae723d
    Related-Bug: #1754607
    (cherry picked from commit d373df5ff89acaca762623fb3920b42778062f00)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/551380
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=8fb9ff784da9b317b5d32b6d51b649c5930baeab
Submitter: Zuul
Branch: stable/queens

commit 8fb9ff784da9b317b5d32b6d51b649c5930baeab
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 9 11:22:37 2018 +0100

    [CVE-2018-1000115] memcached: restrict to TCP & internal_api network

    https://access.redhat.com/security/cve/cve-2018-1000115

    Restrict Memcached to only work on TCP and internal_api network.
    The restriction is made at the application and firewall levels.
    It will prevent DDoS amplification attacks using memcached.

    Change-Id: I8fb81d7f3938b04ff7652e30de35a1ec23ae723d
    Related-Bug: #1754607
    (cherry picked from commit 1d16ceb5fbd4422571c4f0606c84951f3f3d2353)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/ocata)

Reviewed: https://review.openstack.org/551385
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=d373df5ff89acaca762623fb3920b42778062f00
Submitter: Zuul
Branch: stable/ocata

commit d373df5ff89acaca762623fb3920b42778062f00
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 9 11:22:37 2018 +0100

    [CVE-2018-1000115] memcached: restrict to TCP & internal_api network

    https://access.redhat.com/security/cve/cve-2018-1000115

    Restrict Memcached to only work on TCP and internal_api network.
    The restriction is made at the application and firewall levels.
    It will prevent DDoS amplification attacks using memcached.

    Change-Id: I8fb81d7f3938b04ff7652e30de35a1ec23ae723d
    Related-Bug: #1754607
    (cherry picked from commit 2b37b726aae2c3c8351d95de7d2a401f19467556)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/pike)

Reviewed: https://review.openstack.org/551382
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=2b37b726aae2c3c8351d95de7d2a401f19467556
Submitter: Zuul
Branch: stable/pike

commit 2b37b726aae2c3c8351d95de7d2a401f19467556
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 9 11:22:37 2018 +0100

    [CVE-2018-1000115] memcached: restrict to TCP & internal_api network

    https://access.redhat.com/security/cve/cve-2018-1000115

    Restrict Memcached to only work on TCP and internal_api network.
    The restriction is made at the application and firewall levels.
    It will prevent DDoS amplification attacks using memcached.

    Change-Id: I8fb81d7f3938b04ff7652e30de35a1ec23ae723d
    Related-Bug: #1754607
    (cherry picked from commit 1d16ceb5fbd4422571c4f0606c84951f3f3d2353)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to instack-undercloud (stable/queens)

Reviewed: https://review.openstack.org/551388
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=8fff6e69422749de033e894c401cd18805d1cf1e
Submitter: Zuul
Branch: stable/queens

commit 8fff6e69422749de033e894c401cd18805d1cf1e
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 9 19:55:13 2018 +0100

    [CVE-2018-1000115] memcached: restrict to TCP & localhost

    https://access.redhat.com/security/cve/cve-2018-1000115

    Restrict Memcached to only work on TCP and localhost.
    The restriction is made at the application and firewall levels.
    It will prevent DDoS amplification attacks using memcached.

    Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2
    Related-Bug: #1754607
    (cherry picked from commit 74fc85c507fc298828797c51255cee059a9684fc)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/551292
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=eaf77cb09c72fd1a9205c7a3266b99d6ce49d827
Submitter: Zuul
Branch: master

commit eaf77cb09c72fd1a9205c7a3266b99d6ce49d827
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 9 11:22:37 2018 +0100

    [CVE-2018-1000115] memcached: restrict to TCP & internal_api network

    https://access.redhat.com/security/cve/cve-2018-1000115

    Restrict Memcached to only work on TCP and internal_api network.
    The restriction is made at the application and firewall levels.
    It will prevent DDoS amplification attacks using memcached.

    Change-Id: I8fb81d7f3938b04ff7652e30de35a1ec23ae723d
    Related-Bug: #1754607

Emilien Macchi (emilienm)
Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.