Memcached application compatibility break

Nubip · 19 October 2022 10:17

Hi,

I have received this notification:

Due to a security vulnerability, you must upgrade your memcached application scripts to the latest version. (1.1)
2022-10-14 00:00:00 | Source: misc/notifications.rss

What must be done exactly for upgrade the scripts ¿? Thank you.

Ubuntu 22.04 LTS

Version	22.10.0-4-g34a58c3f9 - Tue Oct 18 2022 13:30:42 GMT+0200
Database Schema	2022_09_03_091314_update_ports_adsl_table_with_defaults (246)
Web Server	nginx/1.18.0
PHP	8.1.2
Python	3.10.6
Database	MariaDB 10.6.7-MariaDB-2ubuntu1.1
Laravel	8.83.23
RRDtool	1.7.2

rocko · 19 October 2022 14:20

Yeah the notification is worded in a really confusing way.

My understanding from reading the pull request is that memcached used to ship with LibreNMS server side, but it has been removed in 22.10.0 because of this vuln.

So, the notification is saying that if you use LibreNMS client side agent, and any of the agent checks that you use rely on memcached(?), then you have to update your check scripts since they are now broken.

It would be nice to get confirmation on this. I’m not a great developer so trying to make sense of the RSS notification or pull request has been a challenge.

Here’s the relevant pull request:

github.com/librenms/librenms

Fix memcached unserialize vulnerability

librenms:master ← murrant:fix-memcached-unserialize

opened 10:22PM - 14 Oct 22 UTC

murrant

+21 -11

Allows code injection, so remove it entirely. This requires a memcached applica…tion script to restore functionality. https://github.com/librenms/librenms-agent/pull/428 #### Please note > Please read this information carefully. You can run `./lnms dev:check` to check your code before submitting. - [x] Have you followed our [code guidelines?](https://docs.librenms.org/Developing/Code-Guidelines/) - [x] If my Pull Request does some changes/fixes/enhancements in the WebUI, I have inserted a screenshot of it. - [x] If my Pull Request makes discovery/polling/yaml changes, I have added/updated [test data](https://docs.librenms.org/Developing/os/Test-Units/). #### Testers If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926` After you are done testing, you can remove the changes with `./scripts/github-remove`. If there are schema changes, you can ask on discord how to revert.

Hans_Erasmus · 19 October 2022 14:30

It would seem to me that the notification relates to users who make use of the agent-local method of monitoring Memcached application on servers. There is a security vulnerability, and therefor any client side agent-local script (snmp extend) that you deployed on the servers running memcached, will need to have the updated code installed in order to ensure that your servers are not vulnerable to this exploit.

ScarUY · 21 October 2022 17:10

So, I’m not even remotely a developer, thanks @rocko and @Hans_Erasmus for the answers… but I still don’t understand if I have to do anything, I manage 2 separate and independent installs of librenms, one on Ubuntu 22.04 at work, and another one at home for testing on debian 11, both got this weird notification and even after reading this post (the only one in the whole internet [according to google] that has the same text) I have no clue if applies to me or not, I never installed any memcached script, I don’t even know what they are, I just installed it as per the install instructions at Installing LibreNMS - LibreNMS Docs
I’ll be very thankful if anyone could kindly be more clear about this.
Thank you again

rocko · 21 October 2022 19:33

Pretty sure I understand it now.

This only matters to people who are using the LibreNMS agent to monitor memcached (memcached is installed on a different computer than LibreNMS)
If you are monitoring memcached using the LibreNMS agent, your memcached monitoring will have stopped working as of this latest LibreNMS update. To get it going again requires upgrading the memcached application

So it turns out the notification probably only affects a small group of users.

This was discussed a bit on the LibreNMS Discord, here are the relevant parts:

Hans:
It seems to me that if anyone was using the agent-local code to get memcached stats (in other words monitoring the memcached application) you need to ensure that the agent-local scripts contain the updated code from Fix memcached unserialize vulnerability by murrant · Pull Request #14459 · librenms/librenms · GitHub

Murrant:
FYI, even if the agent code isn’t updated, the security bug is fixed either way. (Just the application won’t collect data :D)

system · 19 January 2023 19:33

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.