Spzala

**Name of the Vulnerable Software and Affected Versions** etcd versions 3.3.0 through 3.3.22 etcd versions 3.4.0 through 3.4.9 **Description** The issue is related to a lack of validation on the size of a record stored in the length field of a WAL file. This allows for the creation of a forged, extremely large frame size that can cause a panic in the decodeRecord method when any RAFT participant tries to decode the WAL. Malformed WALs can also cause attempted out of bounds reads or creation of arbitrarily sized slices, potentially used as a Denial of Service (DoS) vector. The problem arises in the ReadAll method, where an entry index can be greater than the number of entries, leading to issues when reading WAL entries during consensus. **Recommendations** For etcd versions 3.3.0 through 3.3.22, update to version 3.3.23 or later. For etcd versions 3.4.0 through 3.4.9, update to version 3.4.10 or later. As a temporary workaround, consider restricting access to the WAL file to minimize the risk of exploitation. Avoid using the `decodeRecord` method until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** etcd versions 3.3.0 through 3.3.22 etcd versions 3.4.0 through 3.4.9 **Description** The issue is related to data validation in the ReadAll method in wal/wal.go, where it is possible to have an entry index greater than the number of entries. This could cause issues when WAL entries are being read during consensus, potentially leading to a runtime panic and causing an arbitrary etcd consensus participant to go down. Malformed WALs can be constructed to cause attempted out of bounds reads or creation of arbitrarily sized slices, which may be used as a denial-of-service vector. **Recommendations** For etcd versions 3.3.0 through 3.3.22, update to version 3.3.23 or later. For etcd versions 3.4.0 through 3.4.9, update to version 3.4.10 or later. As a temporary workaround, consider restricting access to the `wal/wal.go` module to minimize the risk of exploitation. Avoid using the `ReadAll` method in the affected `wal/wal.go` file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** etcd versions 3.3.23 and earlier etcd versions 3.4.10 and earlier **Description** The issue concerns the creation of certain directory paths with restricted access permissions by using the os.MkdirAll function, which does not perform permission checks when a given directory path exists already. This affects the etcd data directory and the directory path used for automatically generating self-signed certificates for TLS connections with clients. **Recommendations** For etcd versions 3.3.23 and earlier, ensure the directories have the desired permission (700) as a workaround. For etcd versions 3.4.10 and earlier, ensure the directories have the desired permission (700) as a workaround.

**Name of the Vulnerable Software and Affected Versions** etcd versions 3.3.0 through 3.3.22 etcd versions 3.4.0 through 3.4.9 **Description** The etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway. **Recommendations** For etcd versions 3.3.0 through 3.3.22, update to version 3.3.23 or later. For etcd versions 3.4.0 through 3.4.9, update to version 3.4.10 or later. As a temporary workaround, consider restricting access to the etcd gateway to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** etcd versions prior to 3.3.23 etcd versions prior to 3.4.10 **Description** The issue allows for very short passwords, such as those with a length of one, which may enable an attacker to guess or brute-force users' passwords with little computational effort. The etcdctl and etcd API do not enforce a specific password length during user creation or user password update operations, making it the responsibility of the administrator to enforce these requirements. **Recommendations** For etcd versions prior to 3.3.23, update to version 3.3.23 or later to resolve the issue. For etcd versions prior to 3.4.10, update to version 3.4.10 or later to resolve the issue. As a temporary workaround, consider enforcing strong password policies and length requirements manually until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** etcd versions prior to 3.4.10 etcd versions prior to 3.3.23 **Description** The issue concerns the gateway TLS authentication in etcd, which is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain. No authentication is performed against endpoints provided in the `--endpoints` flag. This occurs in the `discoverEndpoints` function. **Recommendations** For etcd versions prior to 3.4.10, update to version 3.4.10 or later to resolve the issue. For etcd versions prior to 3.3.23, update to version 3.3.23 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `--endpoints` flag until a patch is applied, and rely on endpoints identified in DNS SRV records for TLS authentication. Refer to the etcd gateway documentation for more information on secure configuration and endpoint validation.