RHSA-2024:0774 - Security Advisory

Topic

An update is now available for Red Hat Certificate System 10.4 for RHEL 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

Description

Red Hat Certificate System (RHCS) is a complete implementation of an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments.

Security fixes:

• JSS: memory leak in TLS connection leads to OOM (CVE-2021-4213)
• pki-core:10.6/jss: memory leak in TLS connection leads to OOM (CVE-2021-4213)

For more details about the security issues, refer to the link in the References section.

Bug fixes:

• no ROLE_ASSUME audit messages seen in TPS audit log (BZ#1549887)
• Unassign certificate enrollment request not working (BZ#1858702)
• Date Format on the TPS Agent Page (BZ#1984455)
• Directory authentication plugin requires directory admin password just for user authentication (BZ#2017505)
• Add SCEP AES support (BZ#2075363)
• JSS cannot be properly initialized after using another NSS-backed security provider (BZ#2087224)
• Empty subject field in CSR causes failure to certificate issuance (BZ#2105471)
• RA Separation by KeyType - Set Token Status (BZ#2106153)
• Disallowed "supported_groups" in TLS1.2 key exchange (BZ#2113782)
• Some unsusable profiles are present in CA's EE page (BZ#2118662)
• ClientIP and ServerIP are missing in ACCESS_SESSION_ESTABLISH/ACCESS_SESSION_TERMINATED Audit Event when PKI is acting as a Server (BZ#2122502)
• add AES support for TMS server-side keygen on latest HSM / FIPS environment (BZ#2123071)
• CA's Key Escrow is Failing Through httpd Reverse Proxy (BZ#2130250)
• Provide Enrollment over Secure Transport / EST interface to Dogtag / RFC 7030 to support SCEP over EST (BZ#2142893)
• DHE ciphers not working (dropping DHE ciphersuites) (BZ#2142903)
• pkiconsole unable to connect pki servers that's in fips mode with client cert (BZ#2142904)
• KRA and OCSP display banner prompts during pkispawn (BZ#2142905)
• missing audit event CLIENT_ACCESS_SESSION_ESTABLISH when CS instance acting as a client and fails to connect (BZ#2142906)
• EST prep work (BZ#2142907)
• add AES support for TMS Shared Secret on latest HSM / FIPS environment (BZ#2142908)
• CS instance when acting as a client does not observe the cipher list set in server.xml (BZ#2142909)
• OCSP using AIA extension fails (BZ#2144080)
• Lightweight CA: Add support for multiple sub-CAs underneath primary CA (BZ#2149115)
• TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (BZ#2166003)
• Unable to use the TPS UI "Token Filter" to filter a list of tokens (BZ#2179307)
• TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (part 2) (BZ#2181142)
• root CA signing cert should not have AIA extension (BZ#2182201)
• PrettyPrintCert does not properly translate AIA information into a readable format (BZ#2184930)
• OCSP AddCRLServlet "SEVERE...NOT SUPPORTED" log messages (BZ#2190283)
• PrettyPrintCert does not properly translate Subject Information Access information into a readable format (BZ#2209624)
• OCSP Responder not responding to certs issued by unknown CAs (BZ#2221818)
• pkispawn non-CA pki instance result in TLS client-authentication to its internaldb not finding pkidbuser by default (BZ#2228209)
• pkispawn externally signed sub CA clone with Thales Luna HSM fails: UNKNOWN_ISSUER (BZ#2228922)
• OCSP responder to serve status check for itself using latest CRL (BZ#2229930)
• RHCS Fails to Upgrade if Profile Does not exist (BZ#2230102)
• CLIENT_ACCESS_SESSION_* audit events contain wrong ServerPort (BZ#2233740)
• Server-side Key Generation Produces Certificates with Identical SKID (BZ#2246422)
• Generating Keys with no OpsFlagMask set - ThalesHSM integration (BZ#2251981)
• RootCA's OCSP fails to install with the SHA-2 subjectKeyIdentifier extension (BZ#2253044)
• Make key wrapping algorithm configurable between AES-KWP and AES-CBC (BZ#2253675)
• pkidestroy log keeps HSM token password (BZ#2253683)

Users of RHCS 10 are advised to upgrade to these updated packages.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Certificate System 10.4 x86_64

Fixes

• BZ - 2042900 - CVE-2021-4213 JSS: memory leak in TLS connection leads to OOM

CVEs

• CVE-2021-4213

References

• https://access.redhat.com/security/updates/classification/#moderate