Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0985 pki-core, redhat-pki-theme and certificate system security and bug fix update 23 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pki-core redhat-pki-theme Certificate System Publisher: Red Hat Operating System: Red Hat Impact/Access: Cross-site Scripting -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-1696 CVE-2019-10180 CVE-2019-10178 Reference: ASB-2020.0221 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:0947 https://access.redhat.com/errata/RHSA-2021:0948 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: pki-core and redhat-pki-theme security and bug fix update Advisory ID: RHSA-2021:0947-01 Product: Red Hat Certificate System Advisory URL: https://access.redhat.com/errata/RHSA-2021:0947 Issue date: 2021-03-22 CVE Names: CVE-2019-10178 CVE-2019-10180 CVE-2020-1696 ===================================================================== 1. Summary: An update for pki-core and redhat-pki-theme is now available for Red Hat Certificate System 9.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Certificate System 9.7 for Red Hat Enterprise Server 7 - noarch, x86_64 3. Description: The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es): * pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab (CVE-2019-10178) * pki-core: unsanitized token parameters in TPS resulting in stored XSS (CVE-2019-10180) * pki-core: Stored XSS in TPS profile creation (CVE-2020-1696) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * TPS - Add logging to tdbAddCertificatesForCUID if adding or searching for cert record fails (BZ#1710978) * TPS - Update Error Codes returned to client (CIW/ESC) to Match CS8 (BZ#1858860) * TPS - Server side key generation is not working for Identity only tokens - - - Missing some commits (BZ#1858861) * TPS does not check token cuid on the user registration record during PIN reset (BZ#1858867) * Update RHCS version of CA, KRA, OCSP, and TKS so that it can be identified using a browser [RHCS 9.7.z BU 2] (BZ#1895104) * Update RHCS version of CA, KRA, OCSP, and TKS so that it can be identified using a browser [RHCS 9.7.z BU 4] (BZ#1914474) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1719042 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab 1721137 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS 1780707 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation 6. Package List: Red Hat Certificate System 9.7 for Red Hat Enterprise Server 7: Source: pki-core-10.5.18-12.el7pki.src.rpm redhat-pki-theme-10.5.18-5.el7pki.src.rpm noarch: pki-ocsp-10.5.18-12.el7pki.noarch.rpm pki-tks-10.5.18-12.el7pki.noarch.rpm redhat-pki-console-theme-10.5.18-5.el7pki.noarch.rpm redhat-pki-server-theme-10.5.18-5.el7pki.noarch.rpm x86_64: pki-core-debuginfo-10.5.18-12.el7pki.x86_64.rpm pki-tps-10.5.18-12.el7pki.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10178 https://access.redhat.com/security/cve/CVE-2019-10180 https://access.redhat.com/security/cve/CVE-2020-1696 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYFhQ6tzjgjWX9erEAQgznw/8CXabpC7kn8wNVevZQGxeeyLv3s4IJ9ii hxY6ZJuft87FsRlH5dT4tzAhybJN2igQGAL29OjLx6RcNkscJHr+mdKosV1CyTNd dafD7K6LnH3X/b6PKurkfDr8ehv2xpn5Gn5p2kB6x15AceGGPrMJ6WjiYM+J0yYY bAFaRRWbO3G27l4ZNKRSinDTU8cVxnV9olGwRcrHu8T5EdxudcEB6PHTy4dSbgwn H5z5JF92+IbbKiD/FvfW4ryuljb+IIf2EYqDzSmKZd3bGqP7Xt1K6+Sw3K3FzSxn nbdfAiKwMUZLJaKQWZRgwjwP2jYSeGjyMmvzyBk/a+6AsA69F7LlMjQ3jGkt2yst O8miYKURucBY4ghtu/CngtD/wypra2zkTtxDUTMiEc0fSjwI95SPjCcvg3UZQLOE QiKDeTptoyzrL2g4x4SSewIOEfBHEVAFy3S8a6XObGRpKG4dZvZB/tH1U+WqABBC 5z8rxRPWKPFN+4mBGLpp7S4gD2GOn1aoaZoMvPzLYIhVgHWZ+3maoDw6K1uMdl3G TZ6wdfdfPqvlbbmRz4sn7yVOR40dWirpju26qTcPhNquN0AdXiNJZiKkX9GVP9Y0 QegBtc7phSQOKl6jKT/foj592YQLP+j9vMR0Xy6+kbUmGAFC10A3ffRlRwcbpFLw HjTvuM1MjUI= =yvFZ - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Certificate System security and bug fix update Advisory ID: RHSA-2021:0948-01 Product: Red Hat Certificate System Advisory URL: https://access.redhat.com/errata/RHSA-2021:0948 Issue date: 2021-03-22 CVE Names: CVE-2019-10178 CVE-2019-10180 CVE-2020-1696 ===================================================================== 1. Summary: An update for pki-console, pki-core, and redhat-pki-theme is now available for Red Hat Certificate System 9.4 EUS. Red Hat Certificate System 9.4 EUS is a special channel for the delivery of Red Hat Certificate System updates. Downgrading the installed packages is not supported. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Certificate System 9.4 EUS for Red Hat Enterprise Server 7 - noarch, x86_64 3. Description: The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es): * pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab (CVE-2019-10178) * pki-core: unsanitized token parameters in TPS resulting in stored XSS (CVE-2019-10180) * pki-core: Stored XSS in TPS profile creation (CVE-2020-1696) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Update Batch Update Information to Version 20 [RHCS 9.4.z] (BZ#1931149) * Not able to launch pkiconsole -- RHEL 7.6.z backport request [RHCS 9.4.z] (BZ#1931718) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1719042 - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab 1721137 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored XSS 1780707 - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation 6. Package List: Red Hat Certificate System 9.4 EUS for Red Hat Enterprise Server 7: Source: idm-console-framework-1.1.17-4.el7dsrv.src.rpm pki-console-10.5.9-2.el7pki.src.rpm pki-core-10.5.9-15.el7pki.src.rpm redhat-pki-theme-10.5.9-5.el7pki.src.rpm noarch: idm-console-framework-1.1.17-4.el7dsrv.noarch.rpm pki-console-10.5.9-2.el7pki.noarch.rpm pki-ocsp-10.5.9-15.el7pki.noarch.rpm pki-tks-10.5.9-15.el7pki.noarch.rpm redhat-pki-console-theme-10.5.9-5.el7pki.noarch.rpm redhat-pki-server-theme-10.5.9-5.el7pki.noarch.rpm x86_64: pki-core-debuginfo-10.5.9-15.el7pki.x86_64.rpm pki-tps-10.5.9-15.el7pki.x86_64.rpm Red Hat Certificate System 9.4 EUS for Red Hat Enterprise Server 7: Source: pki-console-10.5.9-2.el7pki.src.rpm pki-core-10.5.9-15.el7pki.src.rpm redhat-pki-theme-10.5.9-5.el7pki.src.rpm noarch: pki-console-10.5.9-2.el7pki.noarch.rpm pki-ocsp-10.5.9-15.el7pki.noarch.rpm pki-tks-10.5.9-15.el7pki.noarch.rpm redhat-pki-console-theme-10.5.9-5.el7pki.noarch.rpm redhat-pki-server-theme-10.5.9-5.el7pki.noarch.rpm x86_64: pki-core-debuginfo-10.5.9-15.el7pki.x86_64.rpm pki-tps-10.5.9-15.el7pki.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10178 https://access.redhat.com/security/cve/CVE-2019-10180 https://access.redhat.com/security/cve/CVE-2020-1696 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYFhdztzjgjWX9erEAQj6aA//bR+6+2CzjiglKDMwLrRzn4A0zL5hWJdV 5Vp7Di3ryqpxkTfNRiZDxpUoLRRUa1aNy9tqeZiAnP1VrqxfjM+HTtea7qCFDbsX MBdKj4LHSiONZlS/Af4A0oUVfPMqhppIy2ZiQLVEfjZEMFH67Xhlh6f1VzshFSVe uk+tcVG7TTOmTbjAW5i2CwpbzdTGxyOEXGcgWiQ0JiJ+tIJP2adRYiGfcu0A95ZF s5hL5okcWP9VEvOXXDfiQMjOw3fbsrTyn7ilL9wUEpD7zH0hBuvKqmRmirYt/4G9 g39/t7wUKJ2Jue1O0NbFhZ/gn1lpemXHN2z75p+4EUeH8lw9gTapciZD24VP7gDK djLXrErjzKr+R01BKKaw8tg0Mtvwq7HhXJS0+aEW+tytjBIsMAQyVwXWQqndRVJ8 pwq/UnU2tIVCx4/bsU0m6FDNPw3BiQAZZGZjefHKoHLtgrFgyIpLIxM2skIUsRcz TaL3P64NHLUSQAyrbHx2moeoO00hk3IoMKUMPxU9rbTOJ5Nl1WKQGIUmGjfl69g6 S9be1WwlWiwrCdFNbOmdMzm4/Go51Nn7INKwpqmLbLhJuRh8zkQE0bQPBc5mTKBj LOAOg0JsKhM0AId2M1Xy/88O1E2Xbb7b1+uWmcLVi7V7VY7PigDYiRD04W30B6Bo pswGYd8qNHA= =xm9O - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYFkrLuNLKJtyKPYoAQhAQQ/9GwMNzJpRWzbvklSmbdVE21utBLakhxp7 Hvw6YLQeRDp9dF6owYMkswceBtuWw6Nu5rbT2jcumV1YJnLUSGvxPcYOxX0OqZls f+HBDtf12djP9uyxjz2QdcwctxPl6yMjVCSHx7F6lrGtxzEgl/MH9fI80gbUoNJQ Ol06EnrzUiZ4E+RENSfn5tQSKPtafo9E95dJgtDV4ipnhcuoJEx8nN2V9DoOd2PN BjWh9CuDhiJ/3fzoAjHpUtclm2xba9yCb0sN5LuD2+2LgF1rs7pf1orVtfWP4bDV wFyB4SMCkroejeTIOfYW7qzKmXZ+QYrz1eQUS+vtIoBntuABX1nRD2wSl5BRcFGi WYT5ttk8pbK/6DNsiA5H5b/Yr9ItaV+z2NORMQo9CnrHVGbUSQtORiEZYfGlOTXt 39PKpEo0LEzCn/e+M69tQsk318GcqW/LFREFitHP4Wbht7VxS71aWMteBP5oHlAI HeZEuUrNCkPURWXSXCcGLjS8PU2RQJ8v3fUv5DFK7Re03nO2FaOogjzvheyCaQ9s OS8BD8q9Jzd4aCmXcydhH/lKNpzUesxbf+BshSdU+EbnAsaZ1YsfhOVbdmvIQ48Q /qLVeHyuAWjT3cutGwz6Jw/9X/1rZ+LbXgovOY/gV0cxdLMsN6YXnGxdsJmXm/lb grtMn30f2XA= =S82c -----END PGP SIGNATURE-----