(RHSA-2024:0774) Moderate: Red Hat Certificate System 10.4 for RHEL 8 security and bug fix update

Red Hat Certificate System (RHCS) is a complete implementation of an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments.

Security fixes:

• JSS: memory leak in TLS connection leads to OOM (CVE-2021-4213)

• pki-core:10.6/jss: memory leak in TLS connection leads to OOM (CVE-2021-4213)

For more details about the security issues, refer to the link in the References section.

Bug fixes:

• no ROLE_ASSUME audit messages seen in TPS audit log (BZ#1549887)

• Unassign certificate enrollment request not working (BZ#1858702)

• Date Format on the TPS Agent Page (BZ#1984455)

• Directory authentication plugin requires directory admin password just for user authentication (BZ#2017505)

• Add SCEP AES support (BZ#2075363)

• JSS cannot be properly initialized after using another NSS-backed security provider (BZ#2087224)

• Empty subject field in CSR causes failure to certificate issuance (BZ#2105471)

• RA Separation by KeyType - Set Token Status (BZ#2106153)

• Disallowed “supported_groups” in TLS1.2 key exchange (BZ#2113782)

• Some unsusable profiles are present in CA’s EE page (BZ#2118662)

• ClientIP and ServerIP are missing in ACCESS_SESSION_ESTABLISH/ACCESS_SESSION_TERMINATED Audit Event when PKI is acting as a Server (BZ#2122502)

• add AES support for TMS server-side keygen on latest HSM / FIPS environment (BZ#2123071)

• CA’s Key Escrow is Failing Through httpd Reverse Proxy (BZ#2130250)

• Provide Enrollment over Secure Transport / EST interface to Dogtag / RFC 7030 to support SCEP over EST (BZ#2142893)

• DHE ciphers not working (dropping DHE ciphersuites) (BZ#2142903)

• pkiconsole unable to connect pki servers that’s in fips mode with client cert (BZ#2142904)

• KRA and OCSP display banner prompts during pkispawn (BZ#2142905)

• missing audit event CLIENT_ACCESS_SESSION_ESTABLISH when CS instance acting as a client and fails to connect (BZ#2142906)

• EST prep work (BZ#2142907)

• add AES support for TMS Shared Secret on latest HSM / FIPS environment (BZ#2142908)

• CS instance when acting as a client does not observe the cipher list set in server.xml (BZ#2142909)

• OCSP using AIA extension fails (BZ#2144080)

• Lightweight CA: Add support for multiple sub-CAs underneath primary CA (BZ#2149115)

• TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (BZ#2166003)

• Unable to use the TPS UI “Token Filter” to filter a list of tokens (BZ#2179307)

• TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (part 2) (BZ#2181142)

• root CA signing cert should not have AIA extension (BZ#2182201)

• PrettyPrintCert does not properly translate AIA information into a readable format (BZ#2184930)

• OCSP AddCRLServlet “SEVERE…NOT SUPPORTED” log messages (BZ#2190283)

• PrettyPrintCert does not properly translate Subject Information Access information into a readable format (BZ#2209624)

• OCSP Responder not responding to certs issued by unknown CAs (BZ#2221818)

• pkispawn non-CA pki instance result in TLS client-authentication to its internaldb not finding pkidbuser by default (BZ#2228209)

• pkispawn externally signed sub CA clone with Thales Luna HSM fails: UNKNOWN_ISSUER (BZ#2228922)

• OCSP responder to serve status check for itself using latest CRL (BZ#2229930)

• RHCS Fails to Upgrade if Profile Does not exist (BZ#2230102)

• CLIENT_ACCESS_SESSION_* audit events contain wrong ServerPort (BZ#2233740)

• Server-side Key Generation Produces Certificates with Identical SKID (BZ#2246422)

• Generating Keys with no OpsFlagMask set - ThalesHSM integration (BZ#2251981)

• RootCA’s OCSP fails to install with the SHA-2 subjectKeyIdentifier extension (BZ#2253044)

• Make key wrapping algorithm configurable between AES-KWP and AES-CBC (BZ#2253675)

• pkidestroy log keeps HSM token password (BZ#2253683)

Users of RHCS 10 are advised to upgrade to these updated packages.