{"schema_version": "1.7.0", "id": "RLSA-2021:2235", "modified": "2023-02-02T14:10:47.924070Z", "published": "2021-06-03T07:53:39Z", "upstream": ["CVE-2021-3551"], "summary": "Important: pki-core:10.6 security update", "details": "The Public Key Infrastructure (PKI) Core contains fundamental packages required by Rocky Enterprise Software Foundation Certificate System.\n\nSecurity Fix(es):\n\n* pki-server: Dogtag installer \"pkispawn\" logs admin credentials into a world-readable log file (CVE-2021-3551)\n\nThe PKI installer \"pkispawn\" logs admin credentials into a\nworld-readable log file. It also looks like the installer is passing the\npassword as an insecure command line argument. The credentials are the\n389-DS LDAP server's Directory Manager credentials. The Directory\nManager is 389-DS' equivalent of unrestricted root account. The user\nbypasses permission checks and grants full access to data. In an IdM /\nFreeIPA installation the DM user is able to read and manipulate Kerberos\nKDC master password, Kerberos keytabs, hashed user passwords, and more.\nAny and all IdM and FreeIPA installations with PKI 10.10 should be\nconsidered compromised.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "severity": [{"type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}], "affected": [{"package": {"ecosystem": "Rocky Linux:8", "name": "jss", "purl": "pkg:rpm/rocky-linux/jss?distro=rocky-linux-8-4-legacy&epoch=0"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "0"}, {"fixed": "0:4.8.1-2.module+el8.4.0+418+b7ae1d4a"}], "database_specific": {"yum_repository": "AppStream"}}]}, {"package": {"ecosystem": "Rocky Linux:8", "name": "ldapjdk", "purl": "pkg:rpm/rocky-linux/ldapjdk?distro=rocky-linux-8-4-legacy&epoch=0"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "0"}, {"fixed": "0:4.22.0-1.module+el8.4.0+418+b7ae1d4a"}], "database_specific": {"yum_repository": "AppStream"}}]}, {"package": {"ecosystem": "Rocky Linux:8", "name": "pki-core", "purl": "pkg:rpm/rocky-linux/pki-core?distro=rocky-linux-8-4-legacy&epoch=0"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "0"}, {"fixed": "0:10.10.5-3.module+el8.4.0+554+92b527a1"}], "database_specific": {"yum_repository": "AppStream"}}]}, {"package": {"ecosystem": "Rocky Linux:8", "name": "tomcatjss", "purl": "pkg:rpm/rocky-linux/tomcatjss?distro=rocky-linux-8-4-legacy&epoch=0"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "0"}, {"fixed": "0:7.6.1-1.module+el8.4.0+418+b7ae1d4a"}], "database_specific": {"yum_repository": "AppStream"}}]}], "references": [{"type": "ADVISORY", "url": "https://errata.rockylinux.org/RLSA-2021:2235"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1959971"}], "credits": [{"name": "Rocky Enterprise Software Foundation"}, {"name": "Red Hat"}]}