Bug 1868878 (CVE-2020-15115)
Summary: | CVE-2020-15115 etcd: improper validation of passwords allow an attacker to guess or brute-force user's passwords | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abishop, bmontgom, dbecker, eparis, go-sig, gparvin, gscrivan, hvyas, jburrell, jcajka, jchaloup, jjoyce, jokerman, jramanat, jschluet, jweiser, kbasil, lacypret, lemenkov, lhh, lpeer, mburns, nstielau, puebele, sbatsche, sclewis, slinaber, sponnaga, stcannon, strigazi, tfister, thee |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | etcd 3.4.10, etcd 3.3.23 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in etcd, where it does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This flaw allows an attacker to guess or brute-force users' passwords with little computational effort. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-17 19:52:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1869283, 1868879, 1870507, 1874767, 1874872, 1875653, 1875654, 1881178 | ||
Bug Blocks: | 1868882 |
Description
Dhananjay Arunesh
2020-08-14 06:19:55 UTC
Created etcd tracking bugs for this issue: Affects: fedora-all [bug 1868879] External References: https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh FTR ocp 3.x and 4.x do not use etcd internal RBAC so exposure would only be RHEL7 use cases outside of OpenShift. No patch was developed for this. So far only documentation got updated: https://github.com/etcd-io/etcd/commit/36f8dee00316080e4f54f5df5a12a0fedd634d2c Statement: Red Hat OpenShift Container Platform (RHOCP) doesn't use etcd role-based access control (rbac), instead of that OpenShift OAuth authentication is used. Therefore RHOCP is not affected by this vulnerability. A similar configuration is in place in Red Hat OpenStack Platform (RHOSP) as etcd does not use a password for access and instead uses a TLS certificate. This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:0916 https://access.redhat.com/errata/RHSA-2021:0916 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15115 |