Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0447 SUSE Security Update: Security update for etcd 13 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: etcd Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-16886 CVE-2018-16873 Reference: ESB-2019.0294 ESB-2019.0027 Original Bulletin: https://www.suse.com/support/update/announcement/2019/suse-su-20190330-1/ - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for etcd ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:0330-1 Rating: important References: #1095184 #1118897 #1121850 Cross-References: CVE-2018-16873 CVE-2018-16886 Affected Products: SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for etcd to version 3.3.11 fixes the following issues: Security vulnerabilities addressed: - CVE-2018-16886: Fixed an improper authentication issue when role-based access control (RBAC) was used and client-cert-auth were enabled. This allowed an remote attacker to authenticate as user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway. (bsc#1121850) - CVE-2018-16873: Fixed an issue with the go get command, which allowed for remote code execution when being executed with the -u flag (bsc#1118897) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (x86_64): etcd-3.3.11-3.6.1 etcdctl-3.3.11-3.6.1 References: https://www.suse.com/security/cve/CVE-2018-16873.html https://www.suse.com/security/cve/CVE-2018-16886.html https://bugzilla.suse.com/1095184 https://bugzilla.suse.com/1118897 https://bugzilla.suse.com/1121850 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXGOjlWaOgq3Tt24GAQijuQ//bQ2yfWgXJmtw1nSXqvT/C5iAcEPiIZkW t7f6yjtirXyB40neFw+ckX1xItQa9yMowONj9dp8PMe76IjRrostODu/Xmf7r/q/ ASXKDJgVdBwEbhBaH5m4VUPF+DRwvK5VgH/eBVx96r9u0Bq0vv0QQRYlOvLv7391 h+BIvnZwFMzTImlweMVFESo1PgdLX+BiXdYq/Hu7qewe4WsiD/nIZ0V3M3t+rU4A 8yU66Mu5zIZWq2BugyYDeCyLN4BIpwcrpuSkhtnlivAtHl9adXZpjFc7DRcqeXlb B2wPwokaJCBAsrNUjCFCvw9OMZQbvldvthL2iMzhn3enjIHGIPltjMWSHggYIfiO XnWx/nz5jhm25DGt6ic87w3siFrt35en7awTFw7NJAyUjEVDfKo4sW6kfgdnvQ0s GlaoIdmNyhprBG3q85Q8JX2QKxJJTQ0bhwM+U+m7DgOOYzVYeaEXRRjWGsyP4dOq AIBJs8nPoQ6IOUe97qR37bcr5UyKDVrc8ykDCO8DQhomcnZG6FDApli758kizT5q QdIE9Nx78hJsmi5f/e+FqH2+HYXVQlOxGQcKKTMw3UiyoO+RgTIeQC6aQcggV0mY F1BzHs9dP8Sp77fn/ETg6cVSQShZFnseOMlJHRHkMFYZesRBnd7+SUEEFlNO7bqF 4RyZGasbTHE= =qlV7 -----END PGP SIGNATURE-----