In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL. References: https://github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2
Created etcd tracking bugs for this issue: Affects: fedora-all [bug 1868884]
Upstream fix: https://github.com/etcd-io/etcd/commit/4571e528f49625d3de3170f219a45c3b3d38c675
External References: https://github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2
Statement: * In Red Hat OpenShift Container Platform (RHOCP), the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable etcd to authenticated users only. * In Red Hat OpenStack Platform (RHOSP), the use of etcd is limited to the internal API network, which is not accessible to OpenStack tenants. The security impact for these products is therefore rated as Low.
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:0916 https://access.redhat.com/errata/RHSA-2021:0916
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15106
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2021:1407 https://access.redhat.com/errata/RHSA-2021:1407
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438