Bug 1552714 (CVE-2018-1098) - CVE-2018-1098 etcd: Cross-site request forgery via crafted local POST forms
Summary: CVE-2018-1098 etcd: Cross-site request forgery via crafted local POST forms
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1098
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1552720 1552721 1553762 1553763 1566226 1590309
Blocks: 1552719
TreeView+ depends on / blocked
 
Reported: 2018-03-07 15:29 UTC by Pedro Sampaio
Modified: 2021-10-21 19:56 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A cross-site request forgery flaw has been discovered in etcd. A remote attacker could set up a malicious website that execute POST requests to an etcd server to modify or add a key.
Clone Of:
Environment:
Last Closed: 2021-10-21 19:56:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2018-03-07 15:29:46 UTC 
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.

Upstream bug:

https://github.com/coreos/etcd/issues/9353
Comment 1 Pedro Sampaio 2018-03-07 15:42:22 UTC 
Created etcd tracking bugs for this issue:

Affects: fedora-all [bug 1552720]
Comment 6 Riccardo Schirone 2018-06-12 09:58:25 UTC 
Reference:
https://www.twistlock.com/2018/02/28/dear-developers-beware-dns-rebinding/
Comment 8 Riccardo Schirone 2018-06-12 12:17:11 UTC 
If etcd supports the new v3 API, the attacker can run more operations through POST, as described in the reference blog post.
Comment 11 Riccardo Schirone 2018-06-19 08:13:19 UTC 
Mitigation:

Configure and enable authentication on the etcd server.
Note You need to log in before you can comment on or make changes to this bug.