RLSA-2021:2235 --- ldapjdkID: oval:org.secpod.oval:def:4500039 | Date: (C)2022-02-01 (M)2023-02-13 |
Class: PATCH | Family: unix |
The Public Key Infrastructure Core contains fundamental packages required by Rocky Linux Certificate System. The PKI installer pkispawn logs admin credentials into a world-readable log file. It also looks like the installer is passing the password as an insecure command line argument. The credentials are the 389-DS LDAP servers Directory Manager credentials. The Directory Manager is 389-DS equivalent of unrestricted root account. The user bypasses permission checks and grants full access to data. In an IdM / FreeIPA installation the DM user is able to read and manipulate Kerberos KDC master password, Kerberos keytabs, hashed user passwords, and more. Any and all IdM and FreeIPA installations with PKI 10.10 should be considered compromised. For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.
Product: |
ldapjdk |
pki-core |
tomcatjss |
jss |
pki-acme |
pki-base |
pki-ca |
pki-kra |
pki-server |
python3-pki |
pki-symkey |
pki-tools |