Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1390510 (CVE-2016-8704) - CVE-2016-8704 memcached: Server append/prepend remote code execution
Summary: CVE-2016-8704 memcached: Server append/prepend remote code execution
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-8704
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1390513 1390514 1391260 1391261 1391262 1391263 1392271 1392272 1392273 1392274
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-01 09:40 UTC by Andrej Nemec
Modified: 2021-02-17 03:05 UTC (History)
30 users (show)

Fixed In Version: memcached 1.4.33
Clone Of:
Environment:
Last Closed: 2016-11-24 05:58:51 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2819 0 normal SHIPPED_LIVE Important: memcached security update 2016-11-23 12:47:52 UTC
Red Hat Product Errata RHSA-2016:2820 0 normal SHIPPED_LIVE Important: memcached security update 2016-11-23 12:47:24 UTC
Red Hat Product Errata RHSA-2017:0059 0 normal SHIPPED_LIVE Moderate: Red Hat Mobile Application Platform 4.2.1 Security Update - SDKs and RPMs 2017-01-11 21:30:36 UTC

Description Andrej Nemec 2016-11-01 09:40:42 UTC
An integer overflow in the process_bin_append_prepend function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.

External References:

http://www.talosintelligence.com/reports/TALOS-2016-0219/

Upstream patch:

https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c

Comment 1 Andrej Nemec 2016-11-01 09:44:45 UTC
Created memcached tracking bugs for this issue:

Affects: fedora-all [bug 1390513]
Affects: epel-5 [bug 1390514]

Comment 5 Doran Moppert 2016-11-07 04:40:18 UTC
Mitigation:

This flaw is in the memcached binary protocol. If you client programs only use the ASCII protocol when communicating with memcached, you can disable the binary protocol and protect against this flaw by adding "-B ascii" to OPTIONS in /etc/sysconfig/memcached.

Comment 9 errata-xmlrpc 2016-11-23 07:48:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2820 https://rhn.redhat.com/errata/RHSA-2016-2820.html

Comment 10 errata-xmlrpc 2016-11-23 07:49:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2819 https://rhn.redhat.com/errata/RHSA-2016-2819.html

Comment 11 Garth Mollett 2016-11-24 05:52:49 UTC
Statement:

The versions of memcached as shipped with Red Hat OpenStack Platform 7, 8 and 9 are affected by this issue however will not be updated. The latest version of memcached from Red Hat Enterprise Linux 7 can safely be allowed to supersede the earlier versions provided in the Red Hat OpenStack Platform channels.

Comment 13 errata-xmlrpc 2017-01-11 16:30:47 UTC
This issue has been addressed in the following products:

  Red Hat Mobile Application Platform 4.2

Via RHSA-2017:0059 https://access.redhat.com/errata/RHSA-2017:0059


Note You need to log in before you can comment on or make changes to this bug.