Security update for etcd

Announcement ID:	SUSE-SU-2019:0330-1
Rating:	important
References:	bsc#1095184 bsc#1118897 bsc#1121850
Cross-References:	CVE-2018-16873 CVE-2018-16886
CVSS scores:	CVE-2018-16873 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16886 ( SUSE ): 6.8 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2018-16886 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE CaaS Platform 3.0

An update that solves two vulnerabilities and has one security fix can now be installed.

Description:

This update for etcd to version 3.3.11 fixes the following issues:

Security vulnerabilities addressed:

• CVE-2018-16886: Fixed an improper authentication issue when role-based access control (RBAC) was used and client-cert-auth were enabled. This allowed an remote attacker to authenticate as user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway. (bsc#1121850)
• CVE-2018-16873: Fixed an issue with the go get command, which allowed for remote code execution when being executed with the -u flag (bsc#1118897)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE CaaS Platform 3.0
  To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

• SUSE CaaS Platform 3.0 (x86_64)
  • etcd-3.3.11-3.6.1
  • etcdctl-3.3.11-3.6.1

References:

• https://www.suse.com/security/cve/CVE-2018-16873.html
• https://www.suse.com/security/cve/CVE-2018-16886.html
• https://bugzilla.suse.com/show_bug.cgi?id=1095184
• https://bugzilla.suse.com/show_bug.cgi?id=1118897
• https://bugzilla.suse.com/show_bug.cgi?id=1121850