RLSA-2021:2235

See a problem?
Please try reporting it to the source first.
Source
https://errata.rockylinux.org/RLSA-2021:2235
Import Source
https://storage.googleapis.com/resf-osv-data/RLSA-2021:2235.json
JSON Data
https://api.osv.dev/v1/vulns/RLSA-2021:2235
Related
Published
2021-06-03T07:53:39Z
Modified
2023-02-02T14:10:47.924070Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Important: pki-core:10.6 security update
Details

The Public Key Infrastructure (PKI) Core contains fundamental packages required by Rocky Enterprise Software Foundation Certificate System.

Security Fix(es):

  • pki-server: Dogtag installer "pkispawn" logs admin credentials into a world-readable log file (CVE-2021-3551)

The PKI installer "pkispawn" logs admin credentials into a world-readable log file. It also looks like the installer is passing the password as an insecure command line argument. The credentials are the 389-DS LDAP server's Directory Manager credentials. The Directory Manager is 389-DS' equivalent of unrestricted root account. The user bypasses permission checks and grants full access to data. In an IdM / FreeIPA installation the DM user is able to read and manipulate Kerberos KDC master password, Kerberos keytabs, hashed user passwords, and more. Any and all IdM and FreeIPA installations with PKI 10.10 should be considered compromised.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References
Credits
    • Rocky Enterprise Software Foundation
    • Red Hat

Affected packages

Rocky Linux:8 / jss

Package

Name
jss
Purl
pkg:rpm/rocky-linux/jss?distro=rocky-linux-8-4-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:4.8.1-2.module+el8.4.0+418+b7ae1d4a

Rocky Linux:8 / ldapjdk

Package

Name
ldapjdk
Purl
pkg:rpm/rocky-linux/ldapjdk?distro=rocky-linux-8-4-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:4.22.0-1.module+el8.4.0+418+b7ae1d4a

Rocky Linux:8 / pki-core

Package

Name
pki-core
Purl
pkg:rpm/rocky-linux/pki-core?distro=rocky-linux-8-4-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:10.10.5-3.module+el8.4.0+554+92b527a1

Rocky Linux:8 / tomcatjss

Package

Name
tomcatjss
Purl
pkg:rpm/rocky-linux/tomcatjss?distro=rocky-linux-8-4-legacy&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:7.6.1-1.module+el8.4.0+418+b7ae1d4a