Memcached application compatibility break


I have received this notification:

Due to a security vulnerability, you must upgrade your memcached application scripts to the latest version. (1.1)
2022-10-14 00:00:00 | Source: misc/notifications.rss

What must be done exactly for upgrade the scripts ¿? Thank you.

Ubuntu 22.04 LTS

Version 22.10.0-4-g34a58c3f9 - Tue Oct 18 2022 13:30:42 GMT+0200
Database Schema 2022_09_03_091314_update_ports_adsl_table_with_defaults (246)
Web Server nginx/1.18.0
PHP 8.1.2
Python 3.10.6
Database MariaDB 10.6.7-MariaDB-2ubuntu1.1
Laravel 8.83.23
RRDtool 1.7.2
1 Like

Yeah the notification is worded in a really confusing way.

My understanding from reading the pull request is that memcached used to ship with LibreNMS server side, but it has been removed in 22.10.0 because of this vuln.

So, the notification is saying that if you use LibreNMS client side agent, and any of the agent checks that you use rely on memcached(?), then you have to update your check scripts since they are now broken.

It would be nice to get confirmation on this. I’m not a great developer so trying to make sense of the RSS notification or pull request has been a challenge.

Here’s the relevant pull request:

It would seem to me that the notification relates to users who make use of the agent-local method of monitoring Memcached application on servers. There is a security vulnerability, and therefor any client side agent-local script (snmp extend) that you deployed on the servers running memcached, will need to have the updated code installed in order to ensure that your servers are not vulnerable to this exploit.

1 Like

So, I’m not even remotely a developer, thanks @rocko and @Hans_Erasmus for the answers… but I still don’t understand if I have to do anything, I manage 2 separate and independent installs of librenms, one on Ubuntu 22.04 at work, and another one at home for testing on debian 11, both got this weird notification and even after reading this post (the only one in the whole internet [according to google] that has the same text) I have no clue if applies to me or not, I never installed any memcached script, I don’t even know what they are, I just installed it as per the install instructions at Installing LibreNMS - LibreNMS Docs
I’ll be very thankful if anyone could kindly be more clear about this.
Thank you again

Pretty sure I understand it now.

  • This only matters to people who are using the LibreNMS agent to monitor memcached (memcached is installed on a different computer than LibreNMS)
  • If you are monitoring memcached using the LibreNMS agent, your memcached monitoring will have stopped working as of this latest LibreNMS update. To get it going again requires upgrading the memcached application

So it turns out the notification probably only affects a small group of users.

This was discussed a bit on the LibreNMS Discord, here are the relevant parts:

It seems to me that if anyone was using the agent-local code to get memcached stats (in other words monitoring the memcached application) you need to ensure that the agent-local scripts contain the updated code from Fix memcached unserialize vulnerability by murrant · Pull Request #14459 · librenms/librenms · GitHub

FYI, even if the agent code isn’t updated, the security bug is fixed either way. (Just the application won’t collect data :D)

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.