{
  "threat_severity" : "Moderate",
  "public_date" : "2023-01-16T00:00:00Z",
  "bugzilla" : {
    "description" : "openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher",
    "id" : "2161287",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2161287"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-327",
  "details" : [ "The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component. Even though the CVE-2016-2183 has been fixed in the etcd components, to enable periodic health checks from kubelet, it was necessary to open up a new port (9979) on etcd grpc-proxy, hence this port might be considered as still vulnerable to the same type of vulnerability. The health checks on etcd grpc-proxy do not contain sensitive data (only metrics data), therefore the potential impact related to this vulnerability is minimal. The CVE-2023-0296 has been assigned to this issue to track the permanent fix in the etcd component.", "The Birthday attack against 64-bit block ciphers (CVE-2016-2183) was reported for the health checks port (9979) on the etcd grpc-proxy component. Even though the CVE-2016-2183 has been fixed in the etcd components, to enable periodic health checks from kubelet, it was necessary to open up a new port (9979) on etcd grpc-proxy. Therefore, this port might still be considered vulnerable to the same type of attack. The health checks on etcd grpc-proxy do not contain sensitive data, only metrics data. The potential impact related to this vulnerability is minimal. \nThe CVE-2023-0296 has been assigned to this issue to track the permanent fix in the etcd component." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.10",
    "release_date" : "2023-01-24T00:00:00Z",
    "advisory" : "RHSA-2023:0241",
    "cpe" : "cpe:/a:redhat:openshift:4.10::el8",
    "package" : "openshift4/ose-etcd:v4.10.0-202301062005.p0.g2a91bf0.assembly.stream"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.11",
    "release_date" : "2023-01-19T00:00:00Z",
    "advisory" : "RHSA-2023:0069",
    "cpe" : "cpe:/a:redhat:openshift:4.11::el8",
    "package" : "openshift4/ose-etcd:v4.11.0-202301041324.p0.gc50e9aa.assembly.stream"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.12",
    "release_date" : "2023-01-17T00:00:00Z",
    "advisory" : "RHSA-2022:7399",
    "cpe" : "cpe:/a:redhat:openshift:4.12::el8",
    "package" : "openshift4/ose-etcd:v4.12.0-202212121125.p0.g89a451c.assembly.stream"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.9",
    "release_date" : "2023-02-13T00:00:00Z",
    "advisory" : "RHSA-2023:0574",
    "cpe" : "cpe:/a:redhat:openshift:4.9::el8",
    "package" : "openshift4/ose-etcd:v4.9.0-202301301454.p0.g9aaa8c6.assembly.stream"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-0296\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0296" ],
  "name" : "CVE-2023-0296",
  "csaw" : false
}