Описание
etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.
Etcd, versions 3.2.0 through 3.2.25 and 3.3.0 through 3.3.10, are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server's TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.
Отчет
OpenShift Container Platform 3.x, and 4.1 versions do not use etcd Role-based access control so they are not affected.
Меры по смягчению последствий
Ensure that the client server TLS certificate (specified in --cert-file argument or ETCD_CERT_FILE environment variable) does not include a CN (Common Name) field. If a Common Name field is part of this certificate, replace it with one which omits it. To check the CN field of a certificate: openssl x509 -noout -subject -in /path/to/client.crt | grep -o 'CN.*' To check if there is a username matching the CN field in the TLS client certificate: etcdctl user get For more information on TLS authentication features including how client-cert-auth is enabled, refer to the etcd transport security model documentation: https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md For more information on Role-based access control including how it is enabled, refer to the etcd role-based access control documentation: https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/authentication.md
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | etcd3 | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | cluster-autoscaler | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | metrics-server | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-etcd-rhel9 | Not affected | ||
| Red Hat Storage 3 | etcd | Affected | ||
| Red Hat Enterprise Linux 7 Extras | etcd | Fixed | RHSA-2019:1352 | 04.06.2019 |
Показывать по
Дополнительная информация
Статус:
6.8 Medium
CVSS3
Связанные уязвимости
etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.
etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.
etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerab ...
Уязвимость реализации функции контроля доступа на основе ролей Role Based Access Control (RBAC) хранилища параметров конфигурации Etcd, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
6.8 Medium
CVSS3