CVE-2020-15112

Name of the Vulnerable Software and Affected Versions etcd versions 3.3.0 through 3.3.22 etcd versions 3.4.0 through 3.4.9

Description The issue is related to data validation in the ReadAll method in wal/wal.go, where it is possible to have an entry index greater than the number of entries. This could cause issues when WAL entries are being read during consensus, potentially leading to a runtime panic and causing an arbitrary etcd consensus participant to go down. Malformed WALs can be constructed to cause attempted out of bounds reads or creation of arbitrarily sized slices, which may be used as a denial-of-service vector.

Recommendations For etcd versions 3.3.0 through 3.3.22, update to version 3.3.23 or later. For etcd versions 3.4.0 through 3.4.9, update to version 3.4.10 or later. As a temporary workaround, consider restricting access to the wal/wal.go module to minimize the risk of exploitation. Avoid using the ReadAll method in the affected wal/wal.go file until the issue is resolved.