Rocky Linux: RLSA-2021:2235 pki-core | LinuxSecurity.com
\{'type': 'Security', 'shortCode': 'RL', 'name': 'RLSA-2021:2235', 'synopsis': 'Important: pki-core:10.6 security update', 'severity': 'Important', 'topic': 'An update for the pki-core:10.6 module is now available for Rocky Linux 8.\nRocky Linux Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.', 'description': 'The Public Key Infrastructure (PKI) Core contains fundamental packages required by Rocky Linux Certificate System.\nThe PKI installer "pkispawn" logs admin credentials into a\nworld-readable log file. It also looks like the installer is passing the\npassword as an insecure command line argument. The credentials are the\n389-DS LDAP server's Directory Manager credentials. The Directory\nManager is 389-DS' equivalent of unrestricted root account. The user\nbypasses permission checks and grants full access to data. In an IdM /\nFreeIPA installation the DM user is able to read and manipulate Kerberos\nKDC master password, Kerberos keytabs, hashed user passwords, and more.\nAny and all IdM and FreeIPA installations with PKI 10.10 should be\nconsidered compromised.\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.', 'solution': None, 'affectedProducts': ['Rocky Linux 8'], 'fixes': ['1959971'], 'cves': ['Red Hat:::https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3551.json:::CVE-2021-3551'], 'references': [], 'publishedAt': '2021-07-22T03:17:35.110293Z', 'rpms': ['jss-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm', 'jss-4.8.1-2.module+el8.4.0+418+b7ae1d4a.src.rpm', 'jss-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm', 'jss-debuginfo-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm', 'jss-debuginfo-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm', 'jss-debugsource-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm', 'jss-debugsource-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm', 'jss-javadoc-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm', 'jss-javadoc-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm', 'ldapjdk-4.22.0-1.module+el8.4.0+418+b7ae1d4a.noarch.rpm', 'ldapjdk-4.22.0-1.module+el8.4.0+418+b7ae1d4a.src.rpm', 'ldapjdk-javadoc-4.22.0-1.module+el8.4.0+418+b7ae1d4a.noarch.rpm', 'pki-acme-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm', 'pki-base-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm', 'pki-base-java-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm', 'pki-ca-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm', 'pki-core-10.10.5-3.module+el8.4.0+554+92b527a1.src.rpm', 'pki-core-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm', 'pki-core-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm', 'pki-core-debugsource-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm', 'pki-core-debugsource-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm', 'pki-kra-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm', 'pki-server-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm', 'pki-symkey-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm', 'pki-symkey-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm', 'pki-symkey-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm', 'pki-symkey-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm', 'pki-tools-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm', 'pki-tools-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm', 'pki-tools-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm', 'pki-tools-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm', 'python3-pki-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm', 'tomcatjss-7.6.1-1.module+el8.4.0+418+b7ae1d4a.noarch.rpm', 'tomcatjss-7.6.1-1.module+el8.4.0+418+b7ae1d4a.src.rpm']}\

Rocky Linux: RLSA-2021:2235 pki-core

September 2, 2022
An update for the pki-core:10

Summary

An update for the pki-core:10.6 module is now available for Rocky Linux 8. Rocky Linux Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.


The Public Key Infrastructure (PKI) Core contains fundamental packages required by Rocky Linux Certificate System. The PKI installer "pkispawn" logs admin credentials into a world-readable log file. It also looks like the installer is passing the password as an insecure command line argument. The credentials are the 389-DS LDAP server's Directory Manager credentials. The Directory Manager is 389-DS' equivalent of unrestricted root account. The user bypasses permission checks and grants full access to data. In an IdM / FreeIPA installation the DM user is able to read and manipulate Kerberos KDC master password, Kerberos keytabs, hashed user passwords, and more. Any and all IdM and FreeIPA installations with PKI 10.10 should be considered compromised. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

RPMs

jss-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm
jss-4.8.1-2.module+el8.4.0+418+b7ae1d4a.src.rpm
jss-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm
jss-debuginfo-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm
jss-debuginfo-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm
jss-debugsource-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm
jss-debugsource-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm
jss-javadoc-4.8.1-2.module+el8.4.0+418+b7ae1d4a.aarch64.rpm
jss-javadoc-4.8.1-2.module+el8.4.0+418+b7ae1d4a.x86_64.rpm
ldapjdk-4.22.0-1.module+el8.4.0+418+b7ae1d4a.noarch.rpm
ldapjdk-4.22.0-1.module+el8.4.0+418+b7ae1d4a.src.rpm
ldapjdk-javadoc-4.22.0-1.module+el8.4.0+418+b7ae1d4a.noarch.rpm
pki-acme-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
pki-base-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
pki-base-java-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
pki-ca-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
pki-core-10.10.5-3.module+el8.4.0+554+92b527a1.src.rpm
pki-core-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
pki-core-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
pki-core-debugsource-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
pki-core-debugsource-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
pki-kra-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
pki-server-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
pki-symkey-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
pki-symkey-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
pki-symkey-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
pki-symkey-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
pki-tools-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
pki-tools-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
pki-tools-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.aarch64.rpm
pki-tools-debuginfo-10.10.5-3.module+el8.4.0+554+92b527a1.x86_64.rpm
python3-pki-10.10.5-3.module+el8.4.0+554+92b527a1.noarch.rpm
tomcatjss-7.6.1-1.module+el8.4.0+418+b7ae1d4a.noarch.rpm
tomcatjss-7.6.1-1.module+el8.4.0+418+b7ae1d4a.src.rpm

References

Severity
Name: RLSA-2021:2235
Affected Products: Rocky Linux 8

Fixes

https://bugzilla.redhat.com/show_bug.cgi?id=1959971

CVES

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3551.json

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.