{
  "threat_severity" : "Moderate",
  "public_date" : "2020-08-05T00:00:00Z",
  "bugzilla" : {
    "description" : "etcd: gateway can include itself as an endpoint resulting in resource exhaustion and leads to DoS",
    "id" : "1868874",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1868874"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.", "A flaw was found in etcd, where the etcd gateway is a simple TCP proxy that allows basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This issue results in a denial of service since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway. The highest threat from this vulnerability is to system availability." ],
  "statement" : "In the Red Hat OpenShift Container Platform (RHOCP), the vulnerable ectd is used in the ose-etcd-container. The etcd gateway uses version 2 API which is not used by OCP, hence the impact of this vulnerability is Low.\nIn Red Hat OpenStack Platform (RHOSP) does not use the etcd gateway and as well its use is limited to within the internal API network, which is not accessible to any OpenStack tenants.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.8",
    "release_date" : "2021-07-27T00:00:00Z",
    "advisory" : "RHSA-2021:2438",
    "cpe" : "cpe:/a:redhat:openshift:4.8::el8",
    "package" : "openshift4/ose-etcd:v4.8.0-202106152230.p0.git.aefa6bf.assembly.stream",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "release_date" : "2021-03-17T00:00:00Z",
    "advisory" : "RHSA-2021:0916",
    "cpe" : "cpe:/a:redhat:openstack:16.1::el8",
    "package" : "etcd-0:3.3.23-1.el8ost",
    "impact" : "low"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "etcd",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "etcd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenStack Platform 15 (Stein)",
    "fix_state" : "Fix deferred",
    "package_name" : "etcd",
    "cpe" : "cpe:/a:redhat:openstack:15",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "etcd",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-15114\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15114\nhttps://github.com/etcd-io/etcd/security/advisories/GHSA-2xhq-gv6c-p224" ],
  "name" : "CVE-2020-15114",
  "csaw" : false
}