In etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort. References: https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh
Created etcd tracking bugs for this issue: Affects: fedora-all [bug 1868879]
External References: https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh
FTR ocp 3.x and 4.x do not use etcd internal RBAC so exposure would only be RHEL7 use cases outside of OpenShift.
No patch was developed for this. So far only documentation got updated: https://github.com/etcd-io/etcd/commit/36f8dee00316080e4f54f5df5a12a0fedd634d2c
Statement: Red Hat OpenShift Container Platform (RHOCP) doesn't use etcd role-based access control (rbac), instead of that OpenShift OAuth authentication is used. Therefore RHOCP is not affected by this vulnerability. A similar configuration is in place in Red Hat OpenStack Platform (RHOSP) as etcd does not use a password for access and instead uses a TLS certificate.
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:0916 https://access.redhat.com/errata/RHSA-2021:0916
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15115