Bug 1390510 (CVE-2016-8704)

Summary: CVE-2016-8704 memcached: Server append/prepend remote code execution
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: Andreas.Lehr, aortega, apevec, avibelli, ayoung, carnil, chrisw, coneill, cvsbot-xmlrpc, gmollett, gsterlin, hguemar, jbalunas, jorton, jschluet, jshepherd, kbasil, lhh, lindner, lpeer, markmc, matthias, mlichvar, rbryant, rrajasek, sclewis, tdecacqu, tjay, tkirby, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: memcached 1.4.33 Doc Type: If docs needed, set a value
Doc Text:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-24 05:58:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1390513, 1390514, 1391260, 1391261, 1391262, 1391263, 1392271, 1392272, 1392273, 1392274    
Bug Blocks: 1390516, 1393126    

Description Andrej Nemec 2016-11-01 09:40:42 UTC 
An integer overflow in the process_bin_append_prepend function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.

External References:

http://www.talosintelligence.com/reports/TALOS-2016-0219/

Upstream patch:

https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c
Comment 1 Andrej Nemec 2016-11-01 09:44:45 UTC 
Created memcached tracking bugs for this issue:

Affects: fedora-all [bug 1390513]
Affects: epel-5 [bug 1390514]
Comment 5 Doran Moppert 2016-11-07 04:40:18 UTC 
Mitigation:

This flaw is in the memcached binary protocol. If you client programs only use the ASCII protocol when communicating with memcached, you can disable the binary protocol and protect against this flaw by adding "-B ascii" to OPTIONS in /etc/sysconfig/memcached.
Comment 9 errata-xmlrpc 2016-11-23 07:48:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2820 https://rhn.redhat.com/errata/RHSA-2016-2820.html
Comment 10 errata-xmlrpc 2016-11-23 07:49:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2819 https://rhn.redhat.com/errata/RHSA-2016-2819.html
Comment 11 Garth Mollett 2016-11-24 05:52:49 UTC 
Statement:

The versions of memcached as shipped with Red Hat OpenStack Platform 7, 8 and 9 are affected by this issue however will not be updated. The latest version of memcached from Red Hat Enterprise Linux 7 can safely be allowed to supersede the earlier versions provided in the Red Hat OpenStack Platform channels.
Comment 13 errata-xmlrpc 2017-01-11 16:30:47 UTC 
This issue has been addressed in the following products:

  Red Hat Mobile Application Platform 4.2

Via RHSA-2017:0059 https://access.redhat.com/errata/RHSA-2017:0059