memcached supports TCP and UDP servers, when the UDP server is enabled, and the configuration does not specify localhost or 127.0.0.1, and the server does not firewall the memcached port (11211 by default) can be exploited for network traffic amplification attacks by spoofed UDP packets. Please note that by default the firewall on Red Hat Enterprise Linux only allows port 22 (SSH) inbound, so systems with memcached enabled are only affected if a firewall rule is added that allows UDP traffic to connect to memcached (by default on port 11211).
memcached upstream disabled UDP by default in version 1.5.6: https://github.com/memcached/memcached/wiki/ReleaseNotes156 Relevant upstream commit: https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974
Statement: Red Hat is aware of traffic amplification distributed denial of service (DDoS) attacks that take advantage of the insecurely configured memcached servers reachable from the public Internet. The default configuration of memcached as shipped in Red Hat products makes it possible to abuse them for these DDoS attacks if memcached is exposed to connections from the public Internet. Refer to the Red Hat Knowledgebase article 3369081 for instructions on how to properly secure memcached installations to prevent them from being used in the attack. https://access.redhat.com/solutions/3369081
Mitigation: Please refer to the Red Hat Knowledgebase article 3369081 for instructions on how to properly secure memcached installations to prevent them from being used in an attack. https://access.redhat.com/solutions/3369081
Note that this issue is further mitigated by the default Fedora configuration, which makes memcached listen on loopback addresses only. The change of this default was done in Fedora 25, see bug 1182542. https://src.fedoraproject.org/rpms/memcached/c/3ee983ab6353cb0613d03913dcc8b7dd3c9637c5
Created memcached tracking bugs for this issue: Affects: fedora-all [bug 1551655]
Created memcached tracking bugs for this issue: Affects: openstack-rdo [bug 1551839]
*** Bug 1553274 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2018:1593 https://access.redhat.com/errata/RHSA-2018:1593
This issue has been addressed in the following products: Red Hat OpenStack Platform 11.0 (Ocata) Via RHSA-2018:1627 https://access.redhat.com/errata/RHSA-2018:1627
This issue has been addressed in the following products: Red Hat OpenStack Platform 12.0 (Pike) Via RHSA-2018:2331 https://access.redhat.com/errata/RHSA-2018:2331
This issue has been addressed in the following products: Red Hat OpenStack Platform 8.0 (Liberty) director Via RHSA-2018:2857 https://access.redhat.com/errata/RHSA-2018:2857