Out-of-bounds read in memcached

#VU20847 Out-of-bounds read in memcached

Published: 2019-09-04

Vulnerability identifier: #VU20847

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-15026

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
memcached
Server applications / Web servers

Vendor: Memcached

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to stack-based buffer over-read in conn_to_str() function in memcached.c. A remote attacker can perform a denial of service attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

memcached: 1.4.18 - 1.5.16

External links
http://github.com/memcached/memcached/commit/554b56687a19300a75ec24184746b5512580c819
http://github.com/memcached/memcached/wiki/ReleaseNotes1517

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler update for memcached

OpenSUSE Linux update for memcached

Ubuntu update for Memcached

Denial of service in memcached