RHEL 8 : Red Hat Certificate System 10.4 for RHEL 8 (RHSA-2024:0774)

high Nessus Plugin ID 194292

Synopsis

The remote Red Hat host is missing a security update for Red Hat Certificate System 10.4 for RHEL 8.

Description

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:0774 advisory.

Red Hat Certificate System (RHCS) is a complete implementation of an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments.

Security fixes:

* JSS: memory leak in TLS connection leads to OOM (CVE-2021-4213)

* pki-core:10.6/jss: memory leak in TLS connection leads to OOM (CVE-2021-4213)

For more details about the security issues, refer to the link in the References section.

Bug fixes:

* no ROLE_ASSUME audit messages seen in TPS audit log (BZ#1549887)

* Unassign certificate enrollment request not working (BZ#1858702)

* Date Format on the TPS Agent Page (BZ#1984455)

* Directory authentication plugin requires directory admin password just for user authentication (BZ#2017505)

* Add SCEP AES support (BZ#2075363)

* JSS cannot be properly initialized after using another NSS-backed security provider (BZ#2087224)

* Empty subject field in CSR causes failure to certificate issuance (BZ#2105471)

* RA Separation by KeyType - Set Token Status (BZ#2106153)

* Disallowed supported_groups in TLS1.2 key exchange (BZ#2113782)

* Some unsusable profiles are present in CA's EE page (BZ#2118662)

* ClientIP and ServerIP are missing in ACCESS_SESSION_ESTABLISH/ACCESS_SESSION_TERMINATED Audit Event when PKI is acting as a Server (BZ#2122502)

* add AES support for TMS server-side keygen on latest HSM / FIPS environment (BZ#2123071)

* CA's Key Escrow is Failing Through httpd Reverse Proxy (BZ#2130250)

* Provide Enrollment over Secure Transport / EST interface to Dogtag / RFC 7030 to support SCEP over EST (BZ#2142893)

* DHE ciphers not working (dropping DHE ciphersuites) (BZ#2142903)

* pkiconsole unable to connect pki servers that's in fips mode with client cert (BZ#2142904)

* KRA and OCSP display banner prompts during pkispawn (BZ#2142905)

* missing audit event CLIENT_ACCESS_SESSION_ESTABLISH when CS instance acting as a client and fails to connect (BZ#2142906)

* EST prep work (BZ#2142907)

* add AES support for TMS Shared Secret on latest HSM / FIPS environment (BZ#2142908)

* CS instance when acting as a client does not observe the cipher list set in server.xml (BZ#2142909)

* OCSP using AIA extension fails (BZ#2144080)

* Lightweight CA: Add support for multiple sub-CAs underneath primary CA (BZ#2149115)

* TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (BZ#2166003)

* Unable to use the TPS UI Token Filter to filter a list of tokens (BZ#2179307)

* TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (part 2) (BZ#2181142)

* root CA signing cert should not have AIA extension (BZ#2182201)

* PrettyPrintCert does not properly translate AIA information into a readable format (BZ#2184930)

* OCSP AddCRLServlet SEVERE...NOT SUPPORTED log messages (BZ#2190283)

* PrettyPrintCert does not properly translate Subject Information Access information into a readable format (BZ#2209624)

* OCSP Responder not responding to certs issued by unknown CAs (BZ#2221818)

* pkispawn non-CA pki instance result in TLS client-authentication to its internaldb not finding pkidbuser by default (BZ#2228209)

* pkispawn externally signed sub CA clone with Thales Luna HSM fails: UNKNOWN_ISSUER (BZ#2228922)

* OCSP responder to serve status check for itself using latest CRL (BZ#2229930)

* RHCS Fails to Upgrade if Profile Does not exist (BZ#2230102)

* CLIENT_ACCESS_SESSION_* audit events contain wrong ServerPort (BZ#2233740)

* Server-side Key Generation Produces Certificates with Identical SKID (BZ#2246422)

* Generating Keys with no OpsFlagMask set - ThalesHSM integration (BZ#2251981)

* RootCA's OCSP fails to install with the SHA-2 subjectKeyIdentifier extension (BZ#2253044)

* Make key wrapping algorithm configurable between AES-KWP and AES-CBC (BZ#2253675)

* pkidestroy log keeps HSM token password (BZ#2253683)

Users of RHCS 10 are advised to upgrade to these updated packages.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL Red Hat Certificate System 10.4 for RHEL 8 package based on the guidance in RHSA-2024:0774.

See Also

http://www.nessus.org/u?4c470bbb

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=2042900

https://access.redhat.com/errata/RHSA-2024:0774

Plugin Details

Severity: High

ID: 194292

File Name: redhat-RHSA-2024-0774.nasl

Version: 1.2

Type: local

Agent: unix

Published: 4/28/2024

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2021-4213

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:redhat-pki, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:jss

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 2/12/2024

Vulnerability Publication Date: 2/15/2022

Reference Information

CVE: CVE-2021-4213

CWE: 401

RHSA: 2024:0774