Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2170 Moderate: Red Hat Certificate System 8 security, bug fix, and enhancement update 31 August 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Certificate System 8 Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-7509 Original Bulletin: https://access.redhat.com/errata/RHSA-2017:2560 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Certificate System 8 security, bug fix, and enhancement update Advisory ID: RHSA-2017:2560-01 Product: Red Hat Certificate System Advisory URL: https://access.redhat.com/errata/RHSA-2017:2560 Issue date: 2017-08-30 CVE Names: CVE-2017-7509 ===================================================================== 1. Summary: An update is now available for Red Hat Certificate System 8 with Advanced Access. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Certificate System 8 Advanced Access - i386, noarch, x86_64 3. Description: Red Hat Certificate System is a complete implementation of an enterprise software system designed to manage enterprise public key infrastructure (PKI) deployments. Security Fix(es): * An input validation error was found in Red Hat Certificate System's handling of client provided certificates. If the certreq field is not present in a certificate an assertion error is triggered causing a denial of service. (CVE-2017-7509) Bug Fix(es): * Previously, the Token Management System (TMS) required that certificates that were on hold must first become valid before they can be revoked. This update removes that limitation, and it is now possible to directly revoke currently on hold certificates. (BZ#1262000) * With this update, Red Hat Certificate System instances can be installed using existing CA signing certificate/keys. This existing CA can be a functional CA from a different vendor, or keys or CSR generated to be signed by an external CA for the purpose of chaining it to a publicly recognized CA. Note that this feature is only supported when installing with the "pkisilent" tool, not when using the graphical user interface. Additionally, since the CSR is generated externally prior to configuration of the CA instance and is not stored in the NSS security databases, it should be understood that the CSR value attached to the "ca.signing.certreq" variable stored inside the "/var/lib/pki-ca/conf/CS.cfg" file is a reconstruction of the CSR created during configuration, and not the original CSR utilized to obtain the existing CA certificate. (BZ#1280391) * Previously, a bug in CRLDistributionPointsExtension caused some certificate profiles to encounter problems when being viewed in the Certificate Manager graphical interface. This bug is now fixed, and aforementioned profile can now be viewed normally. (BZ#1282589) * Previously, if access to a component such as an HSM or an LDAP server was lost during Certificate Revocation List (CRL) generation, the CA could become stuck in a loop that generated large amounts of log entries until the problem was resolved. To avoid these scenarios, two new configuration parameters are being introduced in this patch to allow the CA to slow down. (BZ#1290650) * A patch has been applied to the Token Processing System (TPS) to ensure that the "symmetricKeys.requiredVersion" option is being handled correctly in all cases. (BZ#1302103) * A patch has been applied to the Certificate System Token Processing System (TPS) to fix a bug where existing objects were not always cleared when enrolling over an active token. (BZ#1302116) * This update fixes a bug where the Token Processing System (TPS) could not correctly execute re-enrollment operations (taking a currently enrolled token and enrolling it again with new certificates) on some G&D smart cards. (BZ#1320283) * The Token Processing System (TPS) could previously leave old data in a token's Coolkey applet when re-enrolling the token with new certificates and keys. This bug is now fixed, and only data associated with certificates which are actually on the token is preserved after a successful re-enrollment. (BZ#1327653) * Previously, a problem when setting the final life cycle state of a token at the end of a re-enrollment operation could cause it to fail to report that it is properly enrolled. This bug is now fixed, and re-enrolled token now report their "enrolled" status accurately. (BZ#1382376) * Prior to this update, ECDSA certificates were issued with a NULL value in the "parameter" field. These certificates were not compliant with the RFC 5758 specification which mandates this field to be omitted completely. This bug has been fixed, and ECDSA certificates are now issued without the "parameter" field. (BZ#1454414) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1456030 - CVE-2017-7509 certificate system 8: Enrolling certificate without certreq field causes CA to crash 6. Package List: Red Hat Certificate System 8 Advanced Access: Source: pki-ca-8.1.9-2.el5pki.src.rpm pki-common-8.1.20-1.el5pki.src.rpm pki-kra-8.1.7-2.el5pki.src.rpm pki-silent-8.1.2-3.el5pki.src.rpm pki-tps-8.1.30-1.el5pki.src.rpm pki-util-8.1.3-2.el5pki.src.rpm redhat-pki-ca-ui-8.1.1-2.el5pki.src.rpm i386: pki-tps-8.1.30-1.el5pki.i386.rpm noarch: pki-ca-8.1.9-2.el5pki.noarch.rpm pki-common-8.1.20-1.el5pki.noarch.rpm pki-common-javadoc-8.1.20-1.el5pki.noarch.rpm pki-kra-8.1.7-2.el5pki.noarch.rpm pki-silent-8.1.2-3.el5pki.noarch.rpm pki-util-8.1.3-2.el5pki.noarch.rpm pki-util-javadoc-8.1.3-2.el5pki.noarch.rpm redhat-pki-ca-ui-8.1.1-2.el5pki.noarch.rpm x86_64: pki-tps-8.1.30-1.el5pki.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-7509 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZpuLlXlSAg2UNWIIRAohyAJ9cawxlq/ugAAaLpjAuLm5wwlXoGwCfd6NE gVwE0sK17zQnQpBRbDbi6JE= =Qgri - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWadW6Ix+lLeg9Ub1AQj9yhAAo0rU3UrgpedCR5bAOgh48YWULh7ChoyJ YxFrgvJSuPipUcafrZ51GWOSJegArPwylvs3mfyZ8JkjyP/+juB3iQOctWudkUxk Gw5vMN//ohSdczT1abbT+JAKZleVT73kHwcLryu8fp5y6EmhBrWb06KHnuQ0wGeR bJmxOLk8oYG6wn9Ufx3Fw+LvKX7EJoULppUD3Roen4qWDXzlUWIwqMZL2XxusOyH qzit4mQtG9KSMwrTt8hiOslyU9hSKhvFA1EC0PW/TaTAzT0uFBLBV+2YtV77f3kT DeU2xcj3O9EB0NUfkZ/cnPnC06gsrgSWlCbKD6o/WH/jf9xRXokL++Q+gwfQMLP+ RV8xf35ByPl9ttULPOw1cqN+MR5weP3sp0Qg3E4NIVWQWgM2td7wIzzcqV5wa+gI CDzKfbYdHOICb+fiPsM2GixpdNU2vHuyGx5QYhsJfDpYOqHll+3hFbU+aXN7gmfN g+4OnL1t0zlV7JKzG/oFzRi5ay6rKD5NC1GCgat/v6e0ztimlN0wGzfbnmxfzi7J g+q84PbXJD6xzTLdnBA+VADDJj+HKrsUNRXXFTjAyLBQQmk4/s9IvVvsE/55JiGs K3BaV2IPc1oSmkJ1SWHmOOE/TRTeVMs6+S+IuHvGnLDym+XppH/hOQnNl3iOivoA tv/GIcH6b+k= =CEwQ -----END PGP SIGNATURE-----