Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:3441: Red Hat Security Advisory: Red Hat OpenStack Platform 17.0 (etcd) security update

An update for etcd is now available for Red Hat OpenStack Platform 17.0 (Wallaby). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2021-28235: A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges.
  • CVE-2023-32082: A flaw was found in etcd. Affected versions of etcd allow a remote, authenticated attacker to use the LeaseTimeToLive API to obtain sensitive information.
Red Hat Security Data
#vulnerability#red_hat#auth

Issued:

2023-06-05

Updated:

2023-06-05

RHSA-2023:3441 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat OpenStack Platform 17.0 (etcd) security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for etcd is now available for Red Hat OpenStack Platform 17.0
(Wallaby).

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

A highly-available key value store for shared configuration

Security Fix(es):

  • Information discosure via debug function (CVE-2021-28235)
  • Key name can be accessed via LeaseTimeToLive API (CVE-2023-32082)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

Affected Products

  • Red Hat OpenStack 17 x86_64

Fixes

  • BZ - 2184441 - CVE-2021-28235 etcd: Information discosure via debug function
  • BZ - 2208131 - CVE-2023-32082 etcd: Key name can be accessed via LeaseTimeToLive API

Red Hat OpenStack 17

SRPM

etcd-3.4.26-1.el9ost.src.rpm

SHA-256: 46910be109e3a0d26b290d7a1602a1d6a0db49deedb0149360eeec4b4d01d8e3

x86_64

etcd-3.4.26-1.el9ost.x86_64.rpm

SHA-256: 9b5bf1607acfd0146da3792175e67fc4d5f548bbb3bc375ff2c36fe096fdc837

etcd-debuginfo-3.4.26-1.el9ost.x86_64.rpm

SHA-256: 226853d1090807c925a0fa4c6f0ec436307553dded1c899f4aa424b99b52d744

etcd-debugsource-3.4.26-1.el9ost.x86_64.rpm

SHA-256: 8ed5dc284898c4ff74499c5bf4d6ba12b6b1ec6eb57a21839876d81d303953f0

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Ubuntu Security Notice USN-6189-1

Ubuntu Security Notice 6189-1 - It was discovered that etcd leaked credentials when debugging was enabled. This allowed remote attackers to discover etcd authentication credentials and possibly escalate privileges on systems using etcd.

Red Hat Security Advisory 2023-3441-01

Red Hat Security Advisory 2023-3441-01 - An update for etcd is now available for Red Hat OpenStack Platform 17.0 (Wallaby).

Red Hat Security Advisory 2023-3447-01

Red Hat Security Advisory 2023-3447-01 - An update for etcd is now available for Red Hat OpenStack Platform 16.1 (Train).

Red Hat Security Advisory 2023-3445-01

Red Hat Security Advisory 2023-3445-01 - An update for etcd is now available for Red Hat OpenStack Platform 16.2 (Train). Issues addressed include a denial of service vulnerability.

RHSA-2023:3445: Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (etcd) security update

An update for etcd is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-28235: A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges. * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause e...

RHSA-2023:3447: Red Hat Security Advisory: Red Hat OpenStack Platform 16.1 (etcd) security update

An update for etcd is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-28235: A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges. * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause e...

GHSA-3p4g-rcw5-8298: etcd Key name can be accessed via LeaseTimeToLive API

### Impact LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). ### Patches < v3.4.26 and < v3.5.9 are affected. ### Workarounds No. ### Reporter Yoni Rozenshein

CVE-2023-32082: Key name can be accessed via LeaseTimeToLive API

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

CVE-2021-28235: etcd-3.4.10-test/temp4cj.png at master · lucyxss/etcd-3.4.10-test

Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.