ESB-2018.1860 - [RedHat] pki-core: Increased privileges - Remote with user interaction 2018-06-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1860
       Moderate: pki-core security, bug fix, and enhancement update
                               27 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           pki-core
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Increased Privileges -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1080  

Reference:         ESB-2018.1748

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:1979

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: pki-core security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:1979-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:1979
Issue date:        2018-06-26
CVE Names:         CVE-2018-1080 
=====================================================================

1. Summary:

An update for pki-core is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, noarch, ppc64le
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - noarch, ppc64le, s390x

3. Description:

The Public Key Infrastructure (PKI) Core contains fundamental packages
required by Red Hat Certificate System.

Security Fix(es):

* pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules
that allow and deny access (CVE-2018-1080)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

This issue was discovered by Fraser Tweedale (Red Hat).

Bug Fix(es):

* Previously, when ECC keys were enrolled, Certificate Management over CMS
(CMC) authentication failed with a "TokenException: Unable to insert
certificate into temporary database" error. As a consequence, the
enrollment failed. This update fixes the problem. As a result, the
mentioned bug no longer occurs. (BZ#1550581)

* Previously, Certificate System used the same enrollment profiles for
issuing RSA and ECC certificates. As a consequence, the key usage extension
in issued certificates did not meet the Common Criteria standard. This
update adds ECC-specific enrollment profiles where the key usage extension
for TLS server and client certificates are different as described in RFC
6960. Additionally, the update changes existing profiles to issue only RSA
certificates. As a result, the key usage extension in ECC certificates now
meets the Common Criteria standard. (BZ#1554726)

* The Certificate System server rejects saving invalid access control lists
(ACL). As a consequence, when saving an ACL with an empty expression, the
server rejected the update and the pkiconsole utility displayed an
StringIndexOutOfBoundsException error. With this update, the utility
rejects empty ACL expressions. As a result, invalid ACLs cannot be saved
and the error is no longer displayed. (BZ#1557883)

* Previously, due to a bug in the Certificate System installation
procedure, installing a Key Recovery Authority (KRA) with ECC keys failed.
To fix the problem, the installation process has been updated to handle
both RSA and ECC subsystems automatically. As a result, installing
subsystems with ECC keys no longer fail. (BZ#1581134)

* Previously, during verification, Certificate System encoded the ECC
public key incorrectly in CMC Certificate Request Message Format (CRMF)
requests. As a consequence, requesting an ECC certificate with Certificate
Management over CMS (CMC) in CRMF failed. The problem has been fixed, and
as a result, CMC CRMF requests using ECC keys work as expected.
(BZ#1585945)

Enhancement(s):

* The pkispawn man page has been updated and now describes the
- - --skip-configuration and --skip-installation parameters. (BZ#1551067)

* With this update, Certificate System adds the Subject Alternative Name
(SAN) extension by default to server certificates and sets it to the Common
Name (CN) of the certificate. (BZ#1581135)

* With this enhancement, users can create Certificate Request Message
Format (CRMF) requests without the key archival option when using the
CRMFPopClient utility. This feature increases flexibility because a Key
Recovery Authority (KRA) certificate is no longer required. Previously, if
the user did not pass the "-b transport_certificate_file" option to
CRMFPopClient, the utility automatically used the KRA transport certificate
stored in the transport.txt file. With this update, if "-b
transport_certificate_file" is not specified, Certificate System creates a
request without using key archival. (BZ#1588945)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1550581 - CMCAuth throws  org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database [rhel-7.5.z]
1551067 - [MAN] Add --skip-configuration and --skip-installation into pkispawn man page. [rhel-7.5.z]
1552241 - Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z]
1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z]
1554727 - Permit additional FIPS ciphers to be enabled by default for RSA . . . [rhel-7.5.z]
1556657 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access
1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z]
1557883 - Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException (RHEL) [rhel-7.5.z]
1558919 - Not able to generate certificate request with ECC using pki client-cert-request [rhel-7.5.z]
1571582 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken (typos) [rhel-7.5.z]
1572548 - IPA install with external-CA is failing when FIPS mode enabled. [rhel-7.5.z]
1581134 - ECC installation for non CA subsystems needs improvement [rhel-7.5.z]
1581135 - SAN in internal SSL server certificate in pkispawn configuration step [rhel-7.5.z]
1585945 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC [rhel-7.5.z]
1587826 - ExternalCA: Installation failed during csr generation with ecc [rhel-7.5.z]
1588944 - Cert validation for installation with external CA cert [rhel-7.5.z]
1588945 - CRMFPopClient tool - should allow option to do no key archival [rhel-7.5.z]

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:
pki-core-10.5.1-13.1.el7_5.src.rpm

noarch:
pki-base-10.5.1-13.1.el7_5.noarch.rpm
pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
pki-ca-10.5.1-13.1.el7_5.noarch.rpm
pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
pki-kra-10.5.1-13.1.el7_5.noarch.rpm
pki-server-10.5.1-13.1.el7_5.noarch.rpm

x86_64:
pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
pki-tools-10.5.1-13.1.el7_5.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:
pki-core-10.5.1-13.1.el7_5.src.rpm

noarch:
pki-base-10.5.1-13.1.el7_5.noarch.rpm
pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
pki-ca-10.5.1-13.1.el7_5.noarch.rpm
pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
pki-kra-10.5.1-13.1.el7_5.noarch.rpm
pki-server-10.5.1-13.1.el7_5.noarch.rpm

x86_64:
pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
pki-tools-10.5.1-13.1.el7_5.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
pki-core-10.5.1-13.1.el7_5.src.rpm

noarch:
pki-base-10.5.1-13.1.el7_5.noarch.rpm
pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
pki-ca-10.5.1-13.1.el7_5.noarch.rpm
pki-kra-10.5.1-13.1.el7_5.noarch.rpm
pki-server-10.5.1-13.1.el7_5.noarch.rpm

ppc64le:
pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
pki-tools-10.5.1-13.1.el7_5.ppc64le.rpm

x86_64:
pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
pki-tools-10.5.1-13.1.el7_5.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):

Source:
pki-core-10.5.1-13.1.el7_5.src.rpm

aarch64:
pki-core-debuginfo-10.5.1-13.1.el7_5.aarch64.rpm
pki-symkey-10.5.1-13.1.el7_5.aarch64.rpm
pki-tools-10.5.1-13.1.el7_5.aarch64.rpm

noarch:
pki-base-10.5.1-13.1.el7_5.noarch.rpm
pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
pki-ca-10.5.1-13.1.el7_5.noarch.rpm
pki-kra-10.5.1-13.1.el7_5.noarch.rpm
pki-server-10.5.1-13.1.el7_5.noarch.rpm

ppc64le:
pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
pki-tools-10.5.1-13.1.el7_5.ppc64le.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:
pki-core-10.5.1-13.1.el7_5.src.rpm

noarch:
pki-base-10.5.1-13.1.el7_5.noarch.rpm
pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
pki-ca-10.5.1-13.1.el7_5.noarch.rpm
pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
pki-kra-10.5.1-13.1.el7_5.noarch.rpm
pki-server-10.5.1-13.1.el7_5.noarch.rpm

ppc64:
pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64.rpm
pki-symkey-10.5.1-13.1.el7_5.ppc64.rpm
pki-tools-10.5.1-13.1.el7_5.ppc64.rpm

ppc64le:
pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
pki-symkey-10.5.1-13.1.el7_5.ppc64le.rpm

s390x:
pki-core-debuginfo-10.5.1-13.1.el7_5.s390x.rpm
pki-symkey-10.5.1-13.1.el7_5.s390x.rpm
pki-tools-10.5.1-13.1.el7_5.s390x.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7):

Source:
pki-core-10.5.1-13.1.el7_5.src.rpm

noarch:
pki-base-10.5.1-13.1.el7_5.noarch.rpm
pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
pki-ca-10.5.1-13.1.el7_5.noarch.rpm
pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm
pki-kra-10.5.1-13.1.el7_5.noarch.rpm
pki-server-10.5.1-13.1.el7_5.noarch.rpm

ppc64le:
pki-core-debuginfo-10.5.1-13.1.el7_5.ppc64le.rpm
pki-symkey-10.5.1-13.1.el7_5.ppc64le.rpm

s390x:
pki-core-debuginfo-10.5.1-13.1.el7_5.s390x.rpm
pki-symkey-10.5.1-13.1.el7_5.s390x.rpm
pki-tools-10.5.1-13.1.el7_5.s390x.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
pki-core-10.5.1-13.1.el7_5.src.rpm

noarch:
pki-base-10.5.1-13.1.el7_5.noarch.rpm
pki-base-java-10.5.1-13.1.el7_5.noarch.rpm
pki-ca-10.5.1-13.1.el7_5.noarch.rpm
pki-kra-10.5.1-13.1.el7_5.noarch.rpm
pki-server-10.5.1-13.1.el7_5.noarch.rpm

x86_64:
pki-core-debuginfo-10.5.1-13.1.el7_5.x86_64.rpm
pki-symkey-10.5.1-13.1.el7_5.x86_64.rpm
pki-tools-10.5.1-13.1.el7_5.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
pki-javadoc-10.5.1-13.1.el7_5.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-1080
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWzJu/tzjgjWX9erEAQg1lxAAlxDc87fRo/w35qOiFXbnbqh7kwUo1lTM
GDoWmjiZ/+0Z472coRNmMmRoKoZFW9t5aY3rCwvF+rUNCfj6KWUwPzGcgp4nqu2b
XCB9eiXl/8npMMr1UghPMzl1XaP2s8YSOi4P2SWmmq5Ir0MC4YJGfWoF1DUWybbh
eT4NRwMPyWH3r0go2Q0GmpFMYSLrfN2J0C8t8xZ0XfYtDXHZFWiLL/1K+FpunJv9
cHBvcBOIouXSsXD1xmvqLic8Kap+YoRNwdFPCeizwHTiJ3pXOCzF0asrtJ3cl0HB
OllXtCMChsdg3WIYybPcbflJqObq48zcEyFWC3w4VT7IOwkgKTe6CCLE3CuYbgkE
iubWTArf7JtjdEFqY6oXLC49lPQQH0QePj3w2WCyrA2TJoca/wtN/5Gq9fdWthFf
Y8BP3tP76sJyTfaoMAlY8HQKcIOJrXsVmGmU29WKEpWldOZkyEyxrryVDX6AruIR
gzgY9yAwtrywAb1qw4olJbnUTzWVUrT9jGfJdM81gsMSe1Pdkku2i3zrH4vq/Xaz
LycExgYXk8jqsIhuaHpf9FMRQBVX2Ieg/DdzarBkmZnhhBdaMglIbWOPZ7ecnvsN
Bf/QDZc3/OKyGAgpYF0Mc+020vUWEsJFAwEKW2BbYHx7rtVABZmHRNVslJc8bXcR
D+0oGC7mnpk=
=DUm5
- -----END PGP SIGNATURE-----

- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzLbI2aOgq3Tt24GAQgZ5hAA1sUN9kc/h6+S+wTPn+fNbyg2rRVobswi
EJ7Sp8IKa0xpkhffWPXyXI5g+kIEa8lvCAJ91k3aV72TdHRFZU/V7FXrvdby2Uht
V39ySNX4XGaPMcvOAux5gqc5IIkXoPamoiJGQAV+Y2XZwsTbeDQOrAC4Zft9Cpt5
j4YsFMK9CJUKdcG6Fsc+WuWvTZuzDR/FFYqBXE8M5jlpGbOoFIS1DyDki7O8HxHK
sz9N/WBE/ym2aOdPRQCWe+g/zg4W6zXfifzBoXhqyuz7kLBuSc3RrIrW/IEKUyaw
Rh/vGoegxvvi2Y7xKU3YrLcFdZToUzxtTbMtb08MZrZJPgByu1PwxpqvF0z2vAOO
v7BGYpMSBiusWgfYZvZo1P8AOHMZnnopfI1FG97TydSwoiGwUzMqqrt52VZOIDCr
rAuIYiG2Q2VsdVSGACLBkLjrudrRFETYYUfKarN/aMXp2iJd0Vz6ru/1/7qTIKJk
YGitD1Bt3JAvcw/hYcUh/ZePpNvCQZ2xHx2faNdyU8bHHWEUdOxMsjC4JnPSmURe
NfAGWTHSnkeGm5Eh0VOUzSEs13goHREQg5zArqo4iYxK++ZRoYt7lMBHZ5aoZmmR
h+GcLCftlVQNDKuAlcn2FdwoL8GblIeLuRCqn+QvyCHUR8qPSOpaDoJwjXMAZ/yQ
DrKlFcLYjfE=
=rkHR
-----END PGP SIGNATURE-----

« Back to bulletins