CVE-2018-1000115 (retired)

Priority
Description
Memcached version 1.5.5 contains an Insufficient Control of Network Message
Volume (Network Amplification, CWE-406) vulnerability in the UDP support of
the memcached server that can result in denial of service via network flood
(traffic amplification of 1:50,000 has been reported by reliable sources).
This attack appear to be exploitable via network connectivity to port 11211
UDP. This vulnerability appears to have been fixed in 1.5.6 due to the
disabling of the UDP protocol by default.
Ubuntu-Description
It was discovered that Memcached listened to UDP by default. A remote
attacker could use this as part of a distributed denial of service
attack.
Notes
 sbeattie> in Ubuntu (and Debian) memcached is bound to the loppback
  interface by default. However, if memcached is bound to other
  interfaces, the UDP port is still enabled by default.
 sbeattie> Ubuntu update is to disable listening on UDP by default. To
  re-enable UDP, add '-U 11211' to /etc/memcached.conf and restart the
  memcahced service.
Package
Upstream:released (1.5.6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (1.4.14-0ubuntu9.2)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.4.25-2ubuntu1.3)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1.5.4-1ubuntu3)
More Information

Updated: 2019-03-26 12:26:48 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)