7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
Low
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
73.4%
Red Hat Certificate System (RHCS) is a complete implementation of an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments.
Security fixes:
JSS: memory leak in TLS connection leads to OOM (CVE-2021-4213)
pki-core:10.6/jss: memory leak in TLS connection leads to OOM (CVE-2021-4213)
For more details about the security issues, refer to the link in the References section.
Bug fixes:
no ROLE_ASSUME audit messages seen in TPS audit log (BZ#1549887)
Unassign certificate enrollment request not working (BZ#1858702)
Date Format on the TPS Agent Page (BZ#1984455)
Directory authentication plugin requires directory admin password just for user authentication (BZ#2017505)
Add SCEP AES support (BZ#2075363)
JSS cannot be properly initialized after using another NSS-backed security provider (BZ#2087224)
Empty subject field in CSR causes failure to certificate issuance (BZ#2105471)
RA Separation by KeyType - Set Token Status (BZ#2106153)
Disallowed “supported_groups” in TLS1.2 key exchange (BZ#2113782)
Some unsusable profiles are present in CA’s EE page (BZ#2118662)
ClientIP and ServerIP are missing in ACCESS_SESSION_ESTABLISH/ACCESS_SESSION_TERMINATED Audit Event when PKI is acting as a Server (BZ#2122502)
add AES support for TMS server-side keygen on latest HSM / FIPS environment (BZ#2123071)
CA’s Key Escrow is Failing Through httpd Reverse Proxy (BZ#2130250)
Provide Enrollment over Secure Transport / EST interface to Dogtag / RFC 7030 to support SCEP over EST (BZ#2142893)
DHE ciphers not working (dropping DHE ciphersuites) (BZ#2142903)
pkiconsole unable to connect pki servers that’s in fips mode with client cert (BZ#2142904)
KRA and OCSP display banner prompts during pkispawn (BZ#2142905)
missing audit event CLIENT_ACCESS_SESSION_ESTABLISH when CS instance acting as a client and fails to connect (BZ#2142906)
EST prep work (BZ#2142907)
add AES support for TMS Shared Secret on latest HSM / FIPS environment (BZ#2142908)
CS instance when acting as a client does not observe the cipher list set in server.xml (BZ#2142909)
OCSP using AIA extension fails (BZ#2144080)
Lightweight CA: Add support for multiple sub-CAs underneath primary CA (BZ#2149115)
TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (BZ#2166003)
Unable to use the TPS UI “Token Filter” to filter a list of tokens (BZ#2179307)
TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (part 2) (BZ#2181142)
root CA signing cert should not have AIA extension (BZ#2182201)
PrettyPrintCert does not properly translate AIA information into a readable format (BZ#2184930)
OCSP AddCRLServlet “SEVERE…NOT SUPPORTED” log messages (BZ#2190283)
PrettyPrintCert does not properly translate Subject Information Access information into a readable format (BZ#2209624)
OCSP Responder not responding to certs issued by unknown CAs (BZ#2221818)
pkispawn non-CA pki instance result in TLS client-authentication to its internaldb not finding pkidbuser by default (BZ#2228209)
pkispawn externally signed sub CA clone with Thales Luna HSM fails: UNKNOWN_ISSUER (BZ#2228922)
OCSP responder to serve status check for itself using latest CRL (BZ#2229930)
RHCS Fails to Upgrade if Profile Does not exist (BZ#2230102)
CLIENT_ACCESS_SESSION_* audit events contain wrong ServerPort (BZ#2233740)
Server-side Key Generation Produces Certificates with Identical SKID (BZ#2246422)
Generating Keys with no OpsFlagMask set - ThalesHSM integration (BZ#2251981)
RootCA’s OCSP fails to install with the SHA-2 subjectKeyIdentifier extension (BZ#2253044)
Make key wrapping algorithm configurable between AES-KWP and AES-CBC (BZ#2253675)
pkidestroy log keeps HSM token password (BZ#2253683)
Users of RHCS 10 are advised to upgrade to these updated packages.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
Low
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
73.4%