odyssey4me
commented
10 years ago I think it'd be useful as a start to know where memcached is used and how it's used.
I know that Horizon uses it, but it's fine for it to only use a localhost binding as the LB keeps the client sticky to the same web server.
As I recall Swift uses it too, but there it needs to be shared between the swift-proxy servers I think. (It's been a while since I've had to work with Swift all that actively) Perhaps a simple solution for these uses cases is to implement an iptables rule to block access to the port from any IP's which are unauthorised? That'll be a lot simpler than tunneling.
This is from the internal security review recommendations. This may not be possible due to HA installs which need more than localhost bindings. We can investigate other methods of securing the ports (stunnel, stud, iptables, etc) or we can document this as a known issue with no workaround and let the security audit folks know.
Severity: Medium
Description / Exploit: RPC installs memcached and binds it to a routable interface, leaving it exposed for anyone on the network to read/write/delete from memcached.
Impact: Unauthorized users could read/write/delete from the memcached instance.
Systems Vulnerable: 198.101.133.210:11211
Suggested Mitigation: We recommend that memcached initially listens to localhost so prevent any unauthorized reads/writes/deletes. A customer could open up memcached to the necessary systems afterwards. Change /etc/memcached.conf to have the option of:
-l 127.0.0.1Further References: No references given
Affects: