SB2022092231 - Ubuntu update for etcd

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022092231

SB2022092231 - Ubuntu update for etcd

Published: September 22, 2022 Updated: October 19, 2022

Security Bulletin ID SB2022092231
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Resource management error (CVE-ID: CVE-2020-15106)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources with the application, as a large slice causes panic in decodeRecord method. A remote attacker can  forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.


2) Resource management error (CVE-ID: CVE-2020-15112)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources with the application, as it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.


3) Improper Preservation of Permissions (CVE-ID: CVE-2020-15113)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software improperly sets permissions to certain directory paths in case they were previously created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients). A local user can gain unauthorized access to sensitive information on the system.


4) Resource exhaustion (CVE-ID: CVE-2020-15114)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote authenticated user can include the gateway address as an endpoint, trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References