CVE-2023-43768 – Unauthenticated attackers can send large comman... (How to Fix)

Q: What is the severity of CVE-2023-43768?

CVE-2023-43768 has a CVSS score of 7.5 (HIGH). Unauthenticated attackers can send large commands to Couchbase Server's memcached component, causing memory exhaustion and denial of service. This affects Couchbase Server versions 6.6.x through 7.2.0 (specifically before 7.1.5 and 7.2.1). Systems with memcached exposed to untrusted networks are most vulnerable.

📋 TL;DR

Unauthenticated attackers can send large commands to Couchbase Server's memcached component, causing memory exhaustion and denial of service. This affects Couchbase Server versions 6.6.x through 7.2.0 (specifically before 7.1.5 and 7.2.1). Systems with memcached exposed to untrusted networks are most vulnerable.

💻 Affected Systems

Products:

Couchbase Server

Versions: 6.6.x through 7.2.0 (specifically before 7.1.5 and 7.2.1)

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with memcached component enabled and accessible. Default installations typically have memcached enabled.

📦 What is this software?

Couchbase Server by Couchbase

View all CVEs affecting Couchbase Server →

Couchbase Server by Couchbase

View all CVEs affecting Couchbase Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage due to memcached memory exhaustion, potentially affecting all Couchbase Server functionality that depends on memcached.

🟠

Likely Case

Degraded performance or temporary service disruption until memory is freed or the service restarts.

🟢

If Mitigated

Minimal impact if memcached is not exposed to untrusted networks and proper network segmentation is in place.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation allows any internet user to potentially cause denial of service.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this, but requires network access to memcached.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability description suggests simple exploitation via sending large commands. No authentication required makes weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.5 or 7.2.1

Vendor Advisory: https://docs.couchbase.com/server/current/release-notes/relnotes.html

Restart Required: Yes

Instructions:

1. Download patched version from Couchbase downloads page. 2. Backup configuration and data. 3. Stop Couchbase Server. 4. Install patched version. 5. Restart Couchbase Server. 6. Verify functionality.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to memcached ports (default 11210-11211) to trusted sources only.

iptables -A INPUT -p tcp --dport 11210:11211 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 11210:11211 -j DROP

Memory Limit Configuration

all

Configure memcached memory limits to reduce impact of memory exhaustion attacks.

couchbase-cli setting-cluster -c localhost:8091 -u admin -p password --cluster-ramsize 4096

🧯 If You Can't Patch

Implement strict network segmentation to isolate memcached from untrusted networks
Deploy rate limiting or connection limiting at network perimeter for memcached ports

🔍 How to Verify

Check if Vulnerable:

Check Couchbase Server version and compare against affected versions. If version is between 6.6.0 and 7.2.0 (excluding 7.1.5 and 7.2.1), system is vulnerable.

Check Version:

couchbase-cli server-info -c localhost:8091 -u admin -p password | grep version

Verify Fix Applied:

Verify version is 7.1.5 or higher (if on 7.1.x branch) or 7.2.1 or higher (if on 7.2.x branch). Test by attempting to send large commands to memcached port.

📡 Detection & Monitoring

Log Indicators:

Unusually large memcached commands
Memory allocation failures in memcached logs
High memory usage alerts

Network Indicators:

Large payloads sent to memcached ports (11210-11211)
High volume of connections to memcached from single sources

SIEM Query:

source_port=11210 OR source_port=11211 AND bytes_out > 1000000

📊 Metadata

CVE ID: CVE-2023-43768

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: March 27, 2024

Last Updated: April 23, 2025

🔗 References

https://docs.couchbase.com/server/current/release-notes/relnotes.html Release Notes
https://forums.couchbase.com/tags/security Product
https://www.couchbase.com/alerts/ Vendor Advisory
https://www.couchbase.com/downloads Product
https://docs.couchbase.com/server/current/release-notes/relnotes.html Release Notes
https://forums.couchbase.com/tags/security Product
https://www.couchbase.com/alerts/ Vendor Advisory
https://www.couchbase.com/downloads Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-43768, you might also want to check these: