etcd icon indicating copy to clipboard operation
etcd copied to clipboard

Published 20 hours ago verified publisher icon etcd-io

Etcd has some security issues involving password complexity, sensitive information leakage, interfaces that do not require authentication, and accounts that cannot be locked

Open SingleThread opened this issue 3 years ago • 5 comments

  1. Reuse of wrong password to access interface /v2/auth/users, account will not be locked out
  2. Call etcd api to use weak password to perform user creation and update user password operations, there is no weak password checking mechanism
  3. Open etcd debug log, call etcd api to perform user creation and update user password operations, the password ciphertext will be
  4. Etcd has interfaces that can be accessed without authentication, health and version interfaces

SingleThread avatar Mar 08 '22 09:03 SingleThread

  1. I’m not sure what’s the actual issue, but recommend not to use v2 interface. Note that v2 API and v3 API are completely separated including authentication mechanism.

  2. It’s documented in https://etcd.io/docs/v3.5/op-guide/authentication/rbac/#notes-on-password-strength Defining password strength is difficult so I think it’s not reasonable to check in etcd side.

  3. I think it’s fixed in the stable releases. Could you share the version you are using?

  4. These endopints don’t leak sensitive information. Do you have motivation for protecting these endpoints?

mitake avatar Mar 08 '22 15:03 mitake

  1. I’m not sure what’s the actual issue, but recommend not to use v2 interface. Note that v2 API and v3 API are completely separated including authentication mechanism.
  2. It’s documented in https://etcd.io/docs/v3.5/op-guide/authentication/rbac/#notes-on-password-strength Defining password strength is difficult so I think it’s not reasonable to check in etcd side.
  3. I think it’s fixed in the stable releases. Could you share the version you are using?
  4. These endopints don’t leak sensitive information. Do you have motivation for protecting these endpoints?

3.currently using version 3.5.0

SingleThread avatar Mar 09 '22 07:03 SingleThread

That's the debug log, so you are using --log-level=debug right? I think that shouldn't be used in production environments so practically not harmful. But if you have motivation to change the behavior, I think we can fix.

mitake avatar Mar 10 '22 14:03 mitake

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 12 '22 23:06 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 21 '22 02:09 stale[bot]