ESB-2018.1703 - [Debian] memcached: Denial of service - Remote/unauthenticated 2018-06-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1703
                         memcached security update
                                7 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           memcached
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000127 CVE-2018-1000115 CVE-2017-9951
                   CVE-2016-8705  

Reference:         ASB-2016.0099
                   ESB-2018.0959
                   ESB-2016.2800
                   ESB-2016.2606

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4218

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4218-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 06, 2018                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : memcached
CVE ID         : CVE-2017-9951 CVE-2018-1000115 CVE-2018-1000127
Debian Bug     : 868701 894404

Several vulnerabilities were discovered in memcached, a high-performance
memory object caching system. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2017-9951

    Daniel Shapira reported a heap-based buffer over-read in memcached
    (resulting from an incomplete fix for CVE-2016-8705) triggered by
    specially crafted requests to add/set a key and allowing a remote
    attacker to cause a denial of service.

CVE-2018-1000115

    It was reported that memcached listens to UDP by default. A remote
    attacker can take advantage of it to use the memcached service as a
    DDoS amplifier.

    Default installations of memcached in Debian are not affected by
    this issue as the installation defaults to listen only on localhost.
    This update disables the UDP port by default. Listening on the UDP
    can be re-enabled in the /etc/memcached.conf (cf.
    /usr/share/doc/memcached/NEWS.Debian.gz).

CVE-2018-1000127

    An integer overflow was reported in memcached, resulting in resource
    leaks, data corruption, deadlocks or crashes.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.4.21-1.1+deb8u2.

For the stable distribution (stretch), these problems have been fixed in
version 1.4.33-1+deb9u1.

We recommend that you upgrade your memcached packages.

For the detailed security status of memcached please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/memcached

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsYLGtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q+HhAAoEuUicW14NzDTX0yGH8ZluMAK4Woha1rODMJdchudHtMfTiqIhTfZhUk
Gs8mOrR67F7XNKJx78DmIp7s1LNclwxbAt/UlUV3m+TaV3udK2Ai16kIaNms3soj
JEkJI9W0w7EyG4q0oyvAaEDDRPP25m3LiO05mW2qDOZUpKYdGLxnONTFngMJ/3Ov
bTNo8cUR203wyCSxyPv1Ye1Lr7anM61OzmUTg7pnE5a4e5D4ojrVx8Fjox43ppfa
KIcdqtJCZ3jTZaBqgKc2XhuhbDoOv8/apWDqefqxWI+S0GiQHvS2PuWY5q5b79AW
Xkppog9Q0NGj1Z6BX/G+LOwDGsp/kLtD+59rYdThBW2J5cKMrNOtgHlP6QjRfDYY
TWQPTWJzbWvOLiNBqtmN+Ryvcwvi11dSl8OsY/7Kh430zwE4q2/I9IMvZ0emRFXx
zw2QzlrpI5v753geHrV1UktPU8Wb/UWZbPZBCqmhTF5awLWY8NgcYZ5VowMuUqOG
ODLQ+dN0MKlV/qQPC3VyGMruY8zLt7X8a2UPINI6R1qL0bJ6CVwGCAgIFVo1OyTp
Yo6VXgYb0cIxmimh0q4up25FSXqXCh9ppbgZsvdFdAw4+zy1m9B0TprWJf+SRoms
LYwT76G0a8yuBnzMF616PQsi1yR6eKTRGKXxY9Si9Ai5JfYtJZM=
=HIAh
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWxjC12aOgq3Tt24GAQiJ3g//XWlba4xpD4bOTSTe4cNpg2T5Xrm9SrmI
buHxvDTxCJnokBhHXey++tZWQ84XimHMEnv7N5uqwfmh3aHYLwcu8IW3SQvMacRU
zeV+7VqrcaZSUcWHNnPD/t2ETOOJwjbWGWXVCGeM17TKSr8GFq+A15VMav0FVhOS
IdNmFdpDyx0AhUdEVaIgFD2wUn6+2rvznnQZejvm+LQca/T2+GluuY82m7j3Uqtf
KNK5sl2wU0ZLjsN75Y5uMKVzqGf32wo6UUV1Zb+CiIfQ+MU3tNIzR3k2l0NzrL7u
8A+YfYEa3FvcbejA9r7eg4IcGU9x9swt6aEhUy+lMBSiWPX8GpKzwrbJew4ncw1x
RIqQbHTO3UmIa/G0Uv0zQD8DYnlW2xYBS1rX+e51G8mduk8oHFXT7KTRTzoOnb7z
MS7WjFbmnpFx07xsDZGlaEtuWGoIsSJiU8ANj8r1cwj+d5tcPidaBK97mF8OVmBi
ChRRuxW2dI+9UkUEym46bP1IOm24fgXVcYmShulY+r9abiKXXnnCbBUE8+O2PXwH
Tvt5PbUYzOCMtPU9GIg64i7SWVKWSgZGwaZE5ZS5ZoPJsCYREjdP3S8sn/Sootqt
syrAxruRUHjfasCfrrl9ASyNBOd/iYqvyFzRUh4LNeJ45BG/9urLVQ+Ubm6f1ym5
j4Cp13otUBU=
=LQYT
-----END PGP SIGNATURE-----

« Back to bulletins