Frank Weigel's blog

August 26, 2011

Couchbase Server 2.0 Tour and Demo

It’s been a busy few weeks since CouchConf San Francisco, where we announced and demo’d the developer preview of Couchbase Server 2.0, which integrates Apache CouchDB, Membase and Memcached into a single, powerful NoSQL database solution.

We just finished an update to the developer preview and it is now available. Be sure to download the latest version and let us know what you think.

Read more »

May 27, 2011

Membase Server 1.7 Developer Preview

With the general availability of Membase Server 1.7 just a few weeks away, the final developer preview beta release is now available for download and provides a great way to take a peek at the new version and experience the new features.

The release combines lots of very user-visible changes along with significant “under-the-hood” improvements to further enhance elasticity and robustness of Membase Server clusters.

Read more »

January 25, 2011

New Release of Membase (1.6.5) Now Available

Time flies when you are having fun. Apparently I am having a lot of fun, because it sure doesn’t seem like a quarter ago that we launched Membase Server for general availability. :)

Read more »

November 15, 2010

Membase Meetup, Silicon Valley Edition

This is just a quick post to say we really enjoyed last Wednesday's Membase meetup with a group of great developers right here in the heart of Silicon Valley. Thanks to everyone who came - it was an excellent discussion. We have had several requests for the slides, which are available below and on slideshare.

Read more »

November 10, 2010

Membase Hits the Big Apple and Beantown

It’s been a busy week with our inaugural meetups in New York City and Boston.

We've enjoyed meeting Membase users, and interacting with those interested in trying out the software for the first time. The feedback on the meetups and the content has been overwhelmingly positive, with great suggestions for future gatherings. In particular, attendees liked our content on how to program with key-value stores – we’ll make sure to cover that in more depth in upcoming meetups.

Read more »

October 11, 2010

Membase Server is Now Generally Available!

I am proud to say we have just released Membase Server 1.6 for general availability. We owe a huge debt of gratitude to our hundreds of beta users, who have worked with us over the past few months providing excellent feedback and helping us drive the product forward. Thank you!
 
Here are some of the things that stand out to me as we release the product to market:
 

Read more »

September 23, 2010

Membase Server Beta 4 is here, with memcached buckets!

We NorthScalers have been hard at work and are proud to release Membase Server Beta 4, our final Beta release ahead of our general availability release. Go and grab it here! In addition to support for 64-bit Windows, we think you'll be particularly excited by a major new feature in the release: memcached buckets! Introducing Memcached Buckets You now can create buckets in your Membase Server cluster that behave exactly like memcached, which means you can use Membase Server as a drop-in replacement for your existing memcached setup. In a single cluster you can now share the resources between memcached buckets and membase buckets. Let's look at the differences between memcached and membase bucket types:

Read more »

August 30, 2010

NorthScale Membase Server Beta 3 is Here!

I am excited to announce that NorthScale Membase Server 1.6 Beta3 is now available and ready for download. This beta release adds a lot of new functionality and reflects most of what you’ll find in the final product. Highlights include:

  • Windows support
  • Multi-tenancy – allows multiple buckets on a single cluster including bucket quotas
  • “Cluster Overview” as a new monitoring dashboard
  • And lots of small improvements and bug fixes, of course!

Let’s take a look at these features in a bit more detail: Windows support is by far one of the most frequently requested features, and we are very pleased to offer it with this beta release. Beta3 provides 32-bit Windows support, with 64-bit support on the way (Note: The 32bit binary runs just fine on Windows 64-bit but is subject to the 32-bit memory limits). The Windows version provides the same feature set as our Linux version.

Read more »

August 10, 2010

Memcached, go-derper, Black Hat and an Amazon Web Services (AWS) Security Bulletin

If you are a user of memcached and have deployed instances on Amazon EC2, you may have received a message from Amazon over the weekend (we received one on 8/7/2010) indicating you may have a “Possible Insecure Memcached Configuration.” Here’s the body of the message we received:

We've sent you this email to let you know that we have observed that you may be running memcached in an insecure configuration. Specifically, we have noticed that you have at least one security group that allows the whole internet to have access to the port most commonly used by memcached (11211).

There has been a lot of recent attention by the security community about the lack of access controls on memcached and recently some exploits have been published. This has highlighted the importance of running with strict access controls. While we are not aware of any unauthorized access to your Amazon EC2 instances, we do believe you should have your technical team look at this immediately.

We suggest that you audit your security group settings and restrict access to only the instances and IP addresses that need access. Most users only authorize other Amazon EC2 instances to access their memcached server. If you need to access your memcached server from outside of Amazon EC2, you can also authorize just trusted addresses to access your security group.

If you need additional assistance, you can reach our Premium Support team by sending email to aws-security-support@amazon.com.

Regards,
The Amazon Web Services Team

Great email and service from the AWS team, and the suggested fix is spot on.

This posting is meant to provide some background on the issue and the alluded to “recent attention” the issue has received. The issue is relevant to all users of memcached, not just those deploying on Amazon EC2.

The vulnerability
The genesis of this bulletin was almost certainly the result of the development of go-derper by the team at sensepost, highlighted at the blackhat USA 2010 conference on July 30, 2010.

The highlighted vulnerability can be summarized as: if you deploy memcached on a server, leave the TCP port on which memcached is configured to listen (11211, by default) exposed to the Internet, leave the memcached ASCII protocol enabled, AND you are not using SASL authentication with the memcached binary protocol, then there is a trivial way for Bad Guys to retrieve and replace most of the contents of your cache. go-derper.rb is a simple Ruby application, built by sensepost, that can be used to exploit the vulnerability.

Eliminating the vulnerability
Let’s examine the vulnerability, clause-by-clause, and highlight what can be done to eliminate it, starting at the top:

Read more »