Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** White information - unlimited distribution                               **  

** see for distribution restrictions **


Title:       EGI SVG Advisory "Moderate" risk - DPM Wiki instructs insecure configuration 
            if configured 'memcached' [SVG EGI-SVG-2015-7980]

Date:        2015-01-14 



Some instructions on the Wiki for DPM configuration instructed sites to configure insecurely 
if the DMLite memcache plugin is used. [R 1]

At least one site has been found to have this insecure configuration. Therefore this advisory 
is to instruct sites who use DPM and configure 'memcached' to check their configuration and modify 
if necessary. 

These instructions have since been fixed. 


On the DPM wiki there are instructions to configue the DPM cluster using the DMLite memcache plugin. [R 1]

If the instructions in the section entitled 'The memcached daemon' were followed the memcached is 
accessible from the whole world. For many sites firewalling may prevent the exploitation of this 
vulnerability, although that was not the case for at least 1 site.

It is not clear how many sites in the EGI infrastructure are vulnerable, but since any that followed 
the wiki instructions are vulnerable we must assume that it is not an isolated problem.  

In this case the information which may be obtained is not considered particularly sensitive, 
hence the risk category. 

Risk category

This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team for sites configured 

Affected software


This was a problem with the configuration instructions NOT a problem with the software itself. 


The instructions should state:-- 

 [root@lxfsra04a04 log]# cat /etc/sysconfig/memcached  PORT="11211"
 OPTIONS="-l -U 11211 -t 4"

- it's the OPTIONS that was previously incorrect. 


Sites who use DPM should check and modify their configuration if necessary as soon as possible. 


This vulnerability was reported by David Groep from Nikhef. 


[R 1]


2015-01-09 Vulnerability reported by David Groep from Nikhef 
2015-01-12 Acknowledgement from the EGI SVG to the reporter
2015-01-12 Advisory drafted.
2015-01-13 Risk assessment agreed 
2015-01-13 Wiki fixed
2015-01-14 Advisory sent to sites
2015-01-14 Public disclosure