{ "threat_severity" : "Moderate", "public_date" : "2019-01-11T22:05:00Z", "bugzilla" : { "description" : "etcd: Improper Authentication in auth/store.go:AuthInfoFromTLS() via gRPC-gateway", "id" : "1651034", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1651034" }, "cvss3" : { "cvss3_base_score" : "6.8", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-287", "details" : [ "etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.", "Etcd, versions 3.2.0 through 3.2.25 and 3.3.0 through 3.3.10, are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server's TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway." ], "statement" : "OpenShift Container Platform 3.x, and 4.1 versions do not use etcd Role-based access control so they are not affected.", "acknowledgement" : "Red Hat would like to thank Matt Wheeler (Osirium) for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7 Extras", "release_date" : "2019-06-04T00:00:00Z", "advisory" : "RHSA-2019:1352", "cpe" : "cpe:/a:redhat:rhel_extras_other:7", "package" : "etcd-0:3.2.26-1.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "etcd3", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "cluster-autoscaler", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "metrics-server", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-etcd-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "etcd", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-16886\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-16886" ], "name" : "CVE-2018-16886", "mitigation" : { "value" : "Ensure that the client server TLS certificate (specified in --cert-file argument or ETCD_CERT_FILE environment variable) does not include a CN (Common Name) field. If a Common Name field is part of this certificate, replace it with one which omits it.\nTo check the CN field of a certificate:\nopenssl x509 -noout -subject -in /path/to/client.crt | grep -o 'CN.*'\nTo check if there is a username matching the CN field in the TLS client certificate:\netcdctl user get \nFor more information on TLS authentication features including how client-cert-auth is enabled, refer to the etcd transport security model documentation: https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md\nFor more information on Role-based access control including how it is enabled, refer to the etcd role-based access control documentation: https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/authentication.md", "lang" : "en:us" }, "csaw" : false }