Memcached has a crash-me bug, but hey, only about 83,000 public-facing servers appear to be running it

2020-03-24 11:04

On Monday morning a netizen with the handle IceJi publicly revealed the presence of that could be exploited to crash the software: specifically, the flaw is a buffer-overflow in the binary protocol header in memcached versions 1.6.0 and 1.6.1.

Developers were not warned of the bug prior to the public disclosure.

A project maintainer, Dormando, told The Register that the bug was addressed just hours after being reported, and admins can get the fix by updating to the new version 1.6.2.

The decision to drop the bug as a zero-day drew criticism from many on the project, who pointed out that conventionally developers are given advance, private notice of several weeks to patch bugs before their details become public.

Having said that, there are tens of thousands of servers facing the internet that appear to be running memcached on its default port of 11211.

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/24/memcached_denial_of_service/

#memcached #server

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Memcached		1	3	8	7	1	19