Bug 1549752 - memcached binding to 0.0.0.0 instead of localhost by default
Summary: memcached binding to 0.0.0.0 instead of localhost by default
Keywords:
Status: CLOSED DUPLICATE of bug 1550066
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: memcached
Version: epel7
Hardware: All
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Paul Lindner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-27 18:33 UTC by jonthompson
Modified: 2018-02-28 13:22 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-28 13:22:40 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description jonthompson 2018-02-27 18:33:01 UTC 
Description of problem:
Memcached is binding to 0.0.0.0 on tcp/udp by default.  This is not a correct configuration for memcache.

Version-Release number of selected component (if applicable):
Fedora 27, Centos 7.4
Was cited in: RH bug fixed back 2016 that appears to have not been adopted: https://bugzilla.redhat.com/show_bug.cgi?id=1182542
Corresponding bug opened for CentOS: https://bugs.centos.org/view.php?id=14537

How reproducible:
Easy

Steps to Reproduce:
1. Install CentOS or Fedora
2. Check netstat for memcache running bound to 0.0.0.0

Actual results:
tcp        0      0 0.0.0.0:11211           0.0.0.0:*               LISTEN      2447/memcached
udp        0      0 0.0.0.0:11211           0.0.0.0:*                           2447/memcached

Expected results:
tcp        0      0 127.0.0.1:11211           0.0.0.0:*               LISTEN      2447/memcached
udp        0      0 127.0.0.1:11211           0.0.0.0:*                           2447/memcached

Additional info:
This is being widely abused as a reflection attack by malicious actors.
Comment 1 Miroslav Lichvar 2018-02-28 13:22:40 UTC 

*** This bug has been marked as a duplicate of bug 1550066 ***
Note You need to log in before you can comment on or make changes to this bug.