Couchbase vulnerability: Memcached Service Accessible Without Authentication

security
#1

Hi,
We are currently running Couchbase CE 4.5.1 and our Qualys scans indicated this vulnerability:

Memcached is a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read. The target is running Memcached service with authentication disabled. QID Detection Logic (Unauthenticated): This QID sends a crafted TCP packet to the target memcached service to check it’s accessible without any authentication.

I can’t find any docs on how to secure memcached with authentication specifically for Couchbase.

On another note, we are currently in the process of upgrading Couchbase CE to 5.1.1, but it doesn’t look like memcached requires authentcation in 5.1.1 either. I’m able to run this and get back stats:

echo stats | nc $some_couchbase_server_ip 11211

Maybe thats not a good test. Anyway, going forward:

  1. Does Couchbase CE 5.1.1 have authentication set for memcached “out of the box”?
  2. If not, can you point me to some info on how to set this up?

Thanks and let me know if you need more info!

#2

Its not very clear to me, but per these docs, it sounds as if couchbase and memcached are two different mechanisms. So assuming we are just using Couchbase, can we disable memcached from even starting?