Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 14 Jan 2019 14:43:58 +1100
From: Paul Harvey <>
Subject: CVE-2018-16886 etcd: Improper Authentication in auth/store.go:AuthInfoFromTLS()
 via gRPC-gateway


etcd versions 3.2.0 through 3.3.10 are vulnerable to an improper
authentication issue when role-based access control (RBAC) is used and
client-cert-auth is enabled. If an etcd client server TLS certificate
contains a Common Name (CN) which matches a valid RBAC username, a
remote attacker may authenticate as that user with any valid (trusted)
client certificate in a REST API request to the gRPC-gateway.

Upstream issue:

Upstream changelog:

This issue was reported by Matt Wheeler (Osirium)

Paul Harvey / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.