Threat Encyclopedia

RHSA-2021:2235-Security Advisory

Description

The vulnerabilities in the following products could cause the system to become vulnerable to malicious security attack: jss

Analysis

The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es): pki-server: Dogtag installer 'pkispawn' logs admin credentials into a world-readable log file (CVE-2021-3551) The PKI installer 'pkispawn' logs admin credentials into aworld-readable log file. It also looks like the installer is passing thepassword as an insecure command line argument. The credentials are the389-DS LDAP server's Directory Manager credentials. The DirectoryManager is 389-DS' equivalent of unrestricted root account. The userbypasses permission checks and grants full access to data. In an IdM /FreeIPA installation the DM user is able to read and manipulate KerberosKDC master password, Kerberos keytabs, hashed user passwords, and more.Any and all IdM and FreeIPA installations with PKI 10.10 should beconsidered compromised. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. SolutionFor details on how to apply this update, which includes the changes described in this advisory, refer to:https://access.redhat.com/articles/11258

Affected Products

jss

CVE References

CVE-2021-3551