- Issued:
- 2021-03-22
- Updated:
- 2021-03-22
RHSA-2021:0947 - Security Advisory
Synopsis
Moderate: pki-core and redhat-pki-theme security and bug fix update
Type/Severity
Security Advisory: Moderate
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for pki-core and redhat-pki-theme is now available for Red Hat Certificate System 9.7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.
Security Fix(es):
- pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab (CVE-2019-10178)
- pki-core: unsanitized token parameters in TPS resulting in stored XSS (CVE-2019-10180)
- pki-core: Stored XSS in TPS profile creation (CVE-2020-1696)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- TPS - Add logging to tdbAddCertificatesForCUID if adding or searching for cert record fails (BZ#1710978)
- TPS - Update Error Codes returned to client (CIW/ESC) to Match CS8 (BZ#1858860)
- TPS - Server side key generation is not working for Identity only tokens - Missing some commits (BZ#1858861)
- TPS does not check token cuid on the user registration record during PIN reset (BZ#1858867)
- Update RHCS version of CA, KRA, OCSP, and TKS so that it can be identified using a browser [RHCS 9.7.z BU 2] (BZ#1895104)
- Update RHCS version of CA, KRA, OCSP, and TKS so that it can be identified using a browser [RHCS 9.7.z BU 4] (BZ#1914474)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Certificate System 9 x86_64
Fixes
- BZ - 1719042 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab
- BZ - 1721137 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS
- BZ - 1780707 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation
Red Hat Certificate System 9
| SRPM | |
|---|---|
| pki-core-10.5.18-12.el7pki.src.rpm | SHA-256: 15faad442ea9df5a15413d140877af48c08cd8b50a6fe640fe2c5e624e0b6864 |
| redhat-pki-theme-10.5.18-5.el7pki.src.rpm | SHA-256: bc245cc047f881dffe8ccd76bb0fc8a9058b3fd98ef16830907f0b7754600d38 |
| x86_64 | |
| pki-core-debuginfo-10.5.18-12.el7pki.x86_64.rpm | SHA-256: 14d79421cd3984e06dff879c1e7825a96ecaae9bb64f39eea7c183f978a83767 |
| pki-ocsp-10.5.18-12.el7pki.noarch.rpm | SHA-256: 3e1b3b4b64e4e731b8af0585d11e61249aa0026fb1690ac747e7c2b1e70e3bb0 |
| pki-tks-10.5.18-12.el7pki.noarch.rpm | SHA-256: 3fef44dc466460b31945966628bc655d5f1a9f52b8d0d2325b9d904c771de170 |
| pki-tps-10.5.18-12.el7pki.x86_64.rpm | SHA-256: 1a4c16ef20f59e26a5cd1ffee2f11857776673102875f401fc22d36aeef2b16b |
| redhat-pki-console-theme-10.5.18-5.el7pki.noarch.rpm | SHA-256: 777e636ae7c16258bd1e4280d25483a6bd86b0b7eb2ff0a5efcca9e6705e1a43 |
| redhat-pki-server-theme-10.5.18-5.el7pki.noarch.rpm | SHA-256: 1fd3e1e07fd54373f347448531cfe576630548b3f0db4673058c06f8eb555d19 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
