Headline
RHSA-2023:3441: Red Hat Security Advisory: Red Hat OpenStack Platform 17.0 (etcd) security update
An update for etcd is now available for Red Hat OpenStack Platform 17.0 (Wallaby). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-28235: A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges.
- CVE-2023-32082: A flaw was found in etcd. Affected versions of etcd allow a remote, authenticated attacker to use the LeaseTimeToLive API to obtain sensitive information.
Issued:
2023-06-05
Updated:
2023-06-05
RHSA-2023:3441 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: Red Hat OpenStack Platform 17.0 (etcd) security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for etcd is now available for Red Hat OpenStack Platform 17.0
(Wallaby).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Description
A highly-available key value store for shared configuration
Security Fix(es):
- Information discosure via debug function (CVE-2021-28235)
- Key name can be accessed via LeaseTimeToLive API (CVE-2023-32082)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Affected Products
- Red Hat OpenStack 17 x86_64
Fixes
- BZ - 2184441 - CVE-2021-28235 etcd: Information discosure via debug function
- BZ - 2208131 - CVE-2023-32082 etcd: Key name can be accessed via LeaseTimeToLive API
Red Hat OpenStack 17
SRPM
etcd-3.4.26-1.el9ost.src.rpm
SHA-256: 46910be109e3a0d26b290d7a1602a1d6a0db49deedb0149360eeec4b4d01d8e3
x86_64
etcd-3.4.26-1.el9ost.x86_64.rpm
SHA-256: 9b5bf1607acfd0146da3792175e67fc4d5f548bbb3bc375ff2c36fe096fdc837
etcd-debuginfo-3.4.26-1.el9ost.x86_64.rpm
SHA-256: 226853d1090807c925a0fa4c6f0ec436307553dded1c899f4aa424b99b52d744
etcd-debugsource-3.4.26-1.el9ost.x86_64.rpm
SHA-256: 8ed5dc284898c4ff74499c5bf4d6ba12b6b1ec6eb57a21839876d81d303953f0
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 6189-1 - It was discovered that etcd leaked credentials when debugging was enabled. This allowed remote attackers to discover etcd authentication credentials and possibly escalate privileges on systems using etcd.
Red Hat Security Advisory 2023-3441-01 - An update for etcd is now available for Red Hat OpenStack Platform 17.0 (Wallaby).
Red Hat Security Advisory 2023-3447-01 - An update for etcd is now available for Red Hat OpenStack Platform 16.1 (Train).
Red Hat Security Advisory 2023-3445-01 - An update for etcd is now available for Red Hat OpenStack Platform 16.2 (Train). Issues addressed include a denial of service vulnerability.
An update for etcd is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-28235: A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges. * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause e...
An update for etcd is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-28235: A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges. * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause e...
### Impact LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). ### Patches < v3.4.26 and < v3.5.9 are affected. ### Workarounds No. ### Reporter Yoni Rozenshein
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.
Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.