Bugzilla – Bug 1210138
VUL-0: CVE-2021-28235: etcd: Information discosure via debug function
Last modified: 2024-04-30 09:24:55 UTC
CVE-2021-28235 Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28235 https://bugzilla.redhat.com/show_bug.cgi?id=2184441 https://www.cve.org/CVERecord?id=CVE-2021-28235 http://etcd.com https://github.com/etcd-io/etcd https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png
There are no details available for this security issue. I've asked upstream to comment on this. https://groups.google.com/g/etcd-dev/c/cXFg8Zhef5w
Comment from upstream: It's a valid CVE, and we already resolved it in https://github.com/etcd-io/etcd/pull/15648. The issue can only happen when all the following conditions are true: - The auth is enabled; - The log level is set to "debug"; - Clients send authentication request to etcdserver with username & password. Note that client SDK sends authentication request automatically when reading or writing data.
(In reply to Alexander Bergmann from comment #2) > The issue can only happen when all the following conditions are true: > > - The auth is enabled; > - The log level is set to "debug"; > - Clients send authentication request to etcdserver with username & password. Log level "debug" isn't really "production grade". iow, it's very unlikely our single remaining customer will be exposed to this. Any chance to downgrade severity (and save engineering the hassle of a maintenance upgrade) ?
I believe CaaSP is not affected by this vulnerability. I just did small research on latest CaaSP 4.2.9 with current registry.suse.com/caasp/v4/etcd:3.4.13 image: * the debug flag `--log-level=debug` or `--debug` not set for etcd command (see bellow) * no user present in the etcd configuration: (called from etcd pod) > # etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/peer.crt --key=/etc/kubernetes/pki/etcd/peer.key user list > No output == means there are no users set at all, I could add an user by "user add root" and then he was present in the command ^ output Changing etcd's static pod definition to custom values and/or adding custom users is possible but unsupported and has potential to break updates. This is the etcd static pod definition. ``` - command: - etcd - --advertise-client-urls=https://x.x.x.x:2379 - --cert-file=/etc/kubernetes/pki/etcd/server.crt - --client-cert-auth=true - --data-dir=/var/lib/etcd - --initial-advertise-peer-urls=https://x.x.x.x:2380 - --initial-cluster=caasp-master-th-429-before-0=https://x.x.x.x:2380 - --key-file=/etc/kubernetes/pki/etcd/server.key - --listen-client-urls=https://127.0.0.1:2379,https://x.x.x.x:2379 - --listen-metrics-urls=http://127.0.0.1:2381 - --listen-peer-urls=https://x.x.x.x:2380 - --name=caasp-master-th-429-before-0 - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt - --peer-client-cert-auth=true - --peer-key-file=/etc/kubernetes/pki/etcd/peer.key - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt - --snapshot-count=10000 - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt ``` So from the conditions we meet only the first bullet - enabled auth, but only by using key/cert
In the end the CaaSP will be marked as `Not Affected` by this bug on https://www.suse.com/security/cve/CVE-2021-28235.html. Thanks to abergmann@suse.com
Closing bug as wontfix.