The following advisory data is extracted from: https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0774.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Certificate System 10.4 for RHEL 8 security and bug fix update Advisory ID: RHSA-2024:0774-03 Product: Red Hat Certificate System Advisory URL: https://access.redhat.com/errata/RHSA-2024:0774 Issue date: 2024-02-12 Revision: 03 CVE Names: CVE-2021-4213 ==================================================================== Summary: An update is now available for Red Hat Certificate System 10.4 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Description: Red Hat Certificate System (RHCS) is a complete implementation of an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. Security fixes: * JSS: memory leak in TLS connection leads to OOM (CVE-2021-4213) * pki-core:10.6/jss: memory leak in TLS connection leads to OOM (CVE-2021-4213) For more details about the security issues, refer to the link in the References section. Bug fixes: * no ROLE_ASSUME audit messages seen in TPS audit log (BZ#1549887) * Unassign certificate enrollment request not working (BZ#1858702) * Date Format on the TPS Agent Page (BZ#1984455) * Directory authentication plugin requires directory admin password just for user authentication (BZ#2017505) * Add SCEP AES support (BZ#2075363) * JSS cannot be properly initialized after using another NSS-backed security provider (BZ#2087224) * Empty subject field in CSR causes failure to certificate issuance (BZ#2105471) * RA Separation by KeyType - Set Token Status (BZ#2106153) * Disallowed \"supported_groups\" in TLS1.2 key exchange (BZ#2113782) * Some unsusable profiles are present in CA's EE page (BZ#2118662) * ClientIP and ServerIP are missing in ACCESS_SESSION_ESTABLISH/ACCESS_SESSION_TERMINATED Audit Event when PKI is acting as a Server (BZ#2122502) * add AES support for TMS server-side keygen on latest HSM / FIPS environment (BZ#2123071) * CA's Key Escrow is Failing Through httpd Reverse Proxy (BZ#2130250) * Provide Enrollment over Secure Transport / EST interface to Dogtag / RFC 7030 to support SCEP over EST (BZ#2142893) * DHE ciphers not working (dropping DHE ciphersuites) (BZ#2142903) * pkiconsole unable to connect pki servers that's in fips mode with client cert (BZ#2142904) * KRA and OCSP display banner prompts during pkispawn (BZ#2142905) * missing audit event CLIENT_ACCESS_SESSION_ESTABLISH when CS instance acting as a client and fails to connect (BZ#2142906) * EST prep work (BZ#2142907) * add AES support for TMS Shared Secret on latest HSM / FIPS environment (BZ#2142908) * CS instance when acting as a client does not observe the cipher list set in server.xml (BZ#2142909) * OCSP using AIA extension fails (BZ#2144080) * Lightweight CA: Add support for multiple sub-CAs underneath primary CA (BZ#2149115) * TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (BZ#2166003) * Unable to use the TPS UI \"Token Filter\" to filter a list of tokens (BZ#2179307) * TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (part 2) (BZ#2181142) * root CA signing cert should not have AIA extension (BZ#2182201) * PrettyPrintCert does not properly translate AIA information into a readable format (BZ#2184930) * OCSP AddCRLServlet \"SEVERE...NOT SUPPORTED\" log messages (BZ#2190283) * PrettyPrintCert does not properly translate Subject Information Access information into a readable format (BZ#2209624) * OCSP Responder not responding to certs issued by unknown CAs (BZ#2221818) * pkispawn non-CA pki instance result in TLS client-authentication to its internaldb not finding pkidbuser by default (BZ#2228209) * pkispawn externally signed sub CA clone with Thales Luna HSM fails: UNKNOWN_ISSUER (BZ#2228922) * OCSP responder to serve status check for itself using latest CRL (BZ#2229930) * RHCS Fails to Upgrade if Profile Does not exist (BZ#2230102) * CLIENT_ACCESS_SESSION_* audit events contain wrong ServerPort (BZ#2233740) * Server-side Key Generation Produces Certificates with Identical SKID (BZ#2246422) * Generating Keys with no OpsFlagMask set - ThalesHSM integration (BZ#2251981) * RootCA's OCSP fails to install with the SHA-2 subjectKeyIdentifier extension (BZ#2253044) * Make key wrapping algorithm configurable between AES-KWP and AES-CBC (BZ#2253675) * pkidestroy log keeps HSM token password (BZ#2253683) Users of RHCS 10 are advised to upgrade to these updated packages. Solution: https://access.redhat.com/articles/11258 CVEs: CVE-2021-4213 References: https://access.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=2042900