Bug 1211611 (CVE-2023-32082)

Summary: VUL-0: CVE-2023-32082: etcd,cosign: etc: Key name can be accessed via LeaseTimeToLive API
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Containers Team <containers-bugowner>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: containers-bugowner, meissner, stoyan.manolov
Version: unspecifiedFlags: stoyan.manolov: needinfo? (containers-bugowner)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/366155/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-05-22 15:07:07 UTC 
CVE-2023-32082

etcd is a distributed key-value store for the data of a distributed system.
Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key
names (not value) associated to a lease when `Keys` parameter is true, even a
user doesn't have read permission to the keys. The impact is limited to a
cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue.
There are no known workarounds.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32082
https://bugzilla.redhat.com/show_bug.cgi?id=2208131
https://www.cve.org/CVERecord?id=CVE-2023-32082
https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.4.md
https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md
https://github.com/etcd-io/etcd/pull/15656
https://github.com/etcd-io/etcd/security/advisories/GHSA-3p4g-rcw5-8298
Comment 1 Thomas Leroy 2023-05-22 15:10:26 UTC 
cosign embeds a vulnerable version of etcd, but doesn't use the etcd server, that can call the vulnerable etcd function. We can consider it not affected.

etcd remains vulnerable:
- SUSE:SLE-15-SP1:Update:Products:CASP40:Update
- SUSE:SLE-15:Update