CentOS 6 : pki-core (CESA-2015:1347)

medium Nessus Plugin ID 85014

Synopsis

The remote CentOS host is missing one or more security updates.

Description

Updated pki-core packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Red Hat Certificate System is an enterprise software system designed to manage enterprise public key infrastructure (PKI) deployments. PKI Core contains fundamental packages required by Red Hat Certificate System, which comprise the Certificate Authority (CA) subsystem.

Multiple cross-site scripting flaws were discovered in the Red Hat Certificate System Agent and End Entity pages. An attacker could use these flaws to perform a cross-site scripting (XSS) attack against victims using the Certificate System's web interface. (CVE-2012-2662)

This update also fixes the following bugs :

* Previously, pki-core required the SSL version 3 (SSLv3) protocol ranges to communicate with the 389-ds-base packages. However, recent changes to 389-ds-base disabled the default use of SSLv3 and enforced using protocol ranges supported by secure protocols, such as the TLS protocol. As a consequence, the CA failed to install during an Identity Management (IdM) server installation. This update adds TLS-related parameters to the server.xml file of the CA to fix this problem, and running the ipa-server-install command now installs the CA as expected. (BZ#1171848)

* Previously, the ipa-server-install script failed when attempting to configure a stand-alone CA on systems with OpenJDK version 1.8.0 installed. The pki-core build and runtime dependencies have been modified to use OpenJDK version 1.7.0 during the stand-alone CA configuration. As a result, ipa-server-install no longer fails in this situation. (BZ#1212557)

* Creating a Red Hat Enterprise Linux 7 replica from a Red Hat Enterprise Linux 6 replica running the CA service sometimes failed in IdM deployments where the initial Red Hat Enterprise Linux 6 CA master had been removed. This could cause problems in some situations, such as when migrating from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7. The bug occurred due to a problem in a previous version of IdM where the subsystem user, created during the initial CA server installation, was removed together with the initial master.
This update adds the restore-subsystem-user.py script that restores the subsystem user in the described situation, thus enabling administrators to create a Red Hat Enterprise Linux 7 replica in this scenario. (BZ#1225589)

* Several Java import statements specify wildcard arguments. However, due to the use of wildcard arguments in the import statements of the source code contained in the Red Hat Enterprise Linux 6 maintenance branch, a name space collision created the potential for an incorrect class to be utilized. As a consequence, the Token Processing System (TPS) rebuild test failed with an error message. This update addresses the bug by supplying the fully named class in all of the affected areas, and the TPS rebuild test no longer fails. (BZ#1144188)

* Previously, pki-core failed to build with the rebased version of the CMake build system during the TPS rebuild test. The pki-core build files have been updated to comply with the rebased version of CMake.
As a result, pki-core builds successfully in the described scenario.
(BZ#1144608)

Users of pki-core are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Solution

Update the affected pki-core packages.

See Also

http://www.nessus.org/u?22b797ea

Plugin Details

Severity: Medium

ID: 85014

File Name: centos_RHSA-2015-1347.nasl

Version: 2.7

Type: local

Agent: unix

Published: 7/28/2015

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2012-2662

Vulnerability Information

CPE: p-cpe:/a:centos:centos:pki-symkey, p-cpe:/a:centos:centos:pki-selinux, p-cpe:/a:centos:centos:pki-util, cpe:/o:centos:centos:6, p-cpe:/a:centos:centos:pki-util-javadoc, p-cpe:/a:centos:centos:pki-setup, p-cpe:/a:centos:centos:pki-silent, p-cpe:/a:centos:centos:pki-common-javadoc, p-cpe:/a:centos:centos:pki-java-tools-javadoc, p-cpe:/a:centos:centos:pki-java-tools, p-cpe:/a:centos:centos:pki-common, p-cpe:/a:centos:centos:pki-ca, p-cpe:/a:centos:centos:pki-native-tools

Required KB Items: Host/local_checks_enabled, Host/CentOS/release, Host/CentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/26/2015

Vulnerability Publication Date: 8/13/2012

Reference Information

CVE: CVE-2012-2662

BID: 54608

RHSA: 2015:1347