Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Red Hat Certificate System 9.4 EUS RHSA-2021-0948-01 Moderate: XSS Issues

red hat
Calendar Grey March 22, 2021
Dist Redhat Esm H88
Important security patch for Red Hat Certificate System resolving various XSS vulnerabilities. Keep your system protected.
An update for pki-console, pki-core, and redhat-pki-theme is now available for Red Hat Certificate System 9.4 EUS

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.
Security Fix(es):
* pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab (CVE-2019-10178)
* pki-core: unsanitized token parameters in TPS resulting in stored XSS (CVE-2019-10180)
* pki-core: Stored XSS in TPS profile creation (CVE-2020-1696)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Update Batch Update Information to Version 20 [RHCS 9.4.z] (BZ#1931149)
* Not able to launch pkiconsole -- RHEL 7.6.z backport request [RHCS 9.4.z] (BZ#1931718)

References

https://access.redhat.com/security/cve/CVE-2019-10178 https://access.redhat.com/security/cve/CVE-2019-10180 https://access.redhat.com/security/cve/CVE-2020-1696 https://access.redhat.com/security/updates/classification#moderate

Package List

Red Hat Certificate System 9.4 EUS for Red Hat Enterprise Server 7:
Source: idm-console-framework-1.1.17-4.el7dsrv.src.rpm pki-console-10.5.9-2.el7pki.src.rpm pki-core-10.5.9-15.el7pki.src.rpm redhat-pki-theme-10.5.9-5.el7pki.src.rpm
noarch: idm-console-framework-1.1.17-4.el7dsrv.noarch.rpm pki-console-10.5.9-2.el7pki.noarch.rpm pki-ocsp-10.5.9-15.el7pki.noarch.rpm pki-tks-10.5.9-15.el7pki.noarch.rpm redhat-pki-console-theme-10.5.9-5.el7pki.noarch.rpm redhat-pki-server-theme-10.5.9-5.el7pki.noarch.rpm
x86_64: pki-core-debuginfo-10.5.9-15.el7pki.x86_64.rpm pki-tps-10.5.9-15.el7pki.x86_64.rpm
Red Hat Certificate System 9.4 EUS for Red Hat Enterprise Server 7:
Source: pki-console-10.5.9-2.el7pki.src.rpm pki-core-10.5.9-15.el7pki.src.rpm redhat-pki-theme-10.5.9-5.el7pki.src.rpm
noarch: pki-console-10.5.9-2.el7pki.noarch.rpm pki-ocsp-10.5.9-15.el7pki.noarch.rpm pki-tks-10.5.9-15.el7pki.noarch.rpm redhat-pki-console-theme-10.5.9-5.el7pki.noarch.rpm redhat-pki-server-theme-10.5.9-5.el7pki.noarch.rpm
x86_64: pki-core-debuginfo-10.5.9-15.el7pki.x86_64.rpm pki-tps-10.5.9-15.el7pki.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2021:0948-01
Product: Red Hat Certificate System
Issue date: 2021-03-22

Topic

An update for pki-console, pki-core, and redhat-pki-theme is now availablefor Red Hat Certificate System 9.4 EUS.Red Hat Certificate System 9.4 EUS is a special channel for the delivery ofRed Hat Certificate System updates. Downgrading the installed packages isnot supported. Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Certificate System 9.4 EUS for Red Hat Enterprise Server 7 - noarch, x86_64

Bugs Fixed

1719042 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab

1721137 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS

1780707 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here