Lucene search

CentOS ProjectCESA-2021:0851

HistoryMar 18, 2021 - 7:15 p.m.

pki security update

2021-03-1819:15:06

CentOS Project

lists.centos.org

101

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

AI Score

Confidence

High

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

50.1%

JSON

CentOS Errata and Security Advisory CESA-2021:0851

The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.

Security Fix(es):

pki-core: Unprivileged users can renew any certificate (CVE-2021-20179)
pki-core: XSS in the certificate search results (CVE-2020-25715)
pki-core: Reflected XSS in ‘path length’ constraint field in CA’s Agent page (CVE-2019-10146)
pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA’s DRM agent page in authorize recovery tab (CVE-2019-10179)
pki-core: Reflected XSS in getcookies?url= endpoint in CA (CVE-2019-10221)
pki-core: KRA vulnerable to reflected XSS via the getPk12 page (CVE-2020-1721)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

Add KRA Transport and Storage Certificates profiles, audit for IPA (BZ#1883639)

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2021-March/086078.html

Affected packages:
pki-base
pki-base-java
pki-ca
pki-javadoc
pki-kra
pki-server
pki-symkey
pki-tools

Upstream details at:
https://access.redhat.com/errata/RHSA-2021:0851

OSVersionArchitecturePackageVersionFilename
CentOS7noarchpki-base< 10.5.18-12.el7_9pki-base-10.5.18-12.el7_9.noarch.rpm
CentOS7noarchpki-base-java< 10.5.18-12.el7_9pki-base-java-10.5.18-12.el7_9.noarch.rpm
CentOS7noarchpki-ca< 10.5.18-12.el7_9pki-ca-10.5.18-12.el7_9.noarch.rpm
CentOS7noarchpki-javadoc< 10.5.18-12.el7_9pki-javadoc-10.5.18-12.el7_9.noarch.rpm
CentOS7noarchpki-kra< 10.5.18-12.el7_9pki-kra-10.5.18-12.el7_9.noarch.rpm
CentOS7noarchpki-server< 10.5.18-12.el7_9pki-server-10.5.18-12.el7_9.noarch.rpm
CentOS7x86_64pki-symkey< 10.5.18-12.el7_9pki-symkey-10.5.18-12.el7_9.x86_64.rpm
CentOS7x86_64pki-tools< 10.5.18-12.el7_9pki-tools-10.5.18-12.el7_9.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	7	noarch	pki-base	< 10.5.18-12.el7_9	pki-base-10.5.18-12.el7_9.noarch.rpm
CentOS	7	noarch	pki-base-java	< 10.5.18-12.el7_9	pki-base-java-10.5.18-12.el7_9.noarch.rpm
CentOS	7	noarch	pki-ca	< 10.5.18-12.el7_9	pki-ca-10.5.18-12.el7_9.noarch.rpm
CentOS	7	noarch	pki-javadoc	< 10.5.18-12.el7_9	pki-javadoc-10.5.18-12.el7_9.noarch.rpm
CentOS	7	noarch	pki-kra	< 10.5.18-12.el7_9	pki-kra-10.5.18-12.el7_9.noarch.rpm
CentOS	7	noarch	pki-server	< 10.5.18-12.el7_9	pki-server-10.5.18-12.el7_9.noarch.rpm
CentOS	7	x86_64	pki-symkey	< 10.5.18-12.el7_9	pki-symkey-10.5.18-12.el7_9.x86_64.rpm
CentOS	7	x86_64	pki-tools	< 10.5.18-12.el7_9	pki-tools-10.5.18-12.el7_9.x86_64.rpm