CVE-2018-1000115

2018-03-0500:00:00

ubuntu.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.97 High

EPSS

Percentile

99.7%

JSON

Memcached version 1.5.5 contains an Insufficient Control of Network Message
Volume (Network Amplification, CWE-406) vulnerability in the UDP support of
the memcached server that can result in denial of service via network flood
(traffic amplification of 1:50,000 has been reported by reliable sources).
This attack appear to be exploitable via network connectivity to port 11211
UDP. This vulnerability appears to have been fixed in 1.5.6 due to the
disabling of the UDP protocol by default.

Bugs

Notes

Author	Note
sbeattie	in Ubuntu (and Debian) memcached is bound to the loppback interface by default. However, if memcached is bound to other interfaces, the UDP port is still enabled by default. Ubuntu update is to disable listening on UDP by default. To re-enable UDP, add ‘-U 11211’ to /etc/memcached.conf and restart the memcahced service.

OSVersionArchitecturePackageVersionFilename
ubuntu17.10noarchmemcached< 1.4.33-1ubuntu3.2UNKNOWN
ubuntu14.04noarchmemcached< 1.4.14-0ubuntu9.2UNKNOWN
ubuntu16.04noarchmemcached< 1.4.25-2ubuntu1.3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	17.10	noarch	memcached	< 1.4.33-1ubuntu3.2	UNKNOWN
ubuntu	14.04	noarch	memcached	< 1.4.14-0ubuntu9.2	UNKNOWN
ubuntu	16.04	noarch	memcached	< 1.4.25-2ubuntu1.3	UNKNOWN