jss-4.4.6-3.el7_7

エラータID: AXSA:2019-4345:04

Release date: 
Wednesday, October 23, 2019 - 09:28
Subject: 
jss-4.4.6-3.el7_7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Java Security Services (JSS) provides an interface between Java Virtual Machine and Network Security Services (NSS). It supports most of the security standards and encryption technologies supported by NSS including communication through SSL/TLS network protocols. JSS is primarily utilized by the Certificate Server as a part of the Identity Management System.

Security Fix(es):

* JSS: OCSP policy "Leaf and Chain" implicitly trusts the root certificate (CVE-2019-14823)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-14823
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.

Solution: 

Update packages.

CVEs: 
CVE-2019-14823
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.
Additional Info: 

N/A

Download: 

SRPMS
  1. jss-4.4.6-3.el7_7.src.rpm
    MD5: fab95715247e6d4663b7d3a8311c8b57
    SHA-256: ac568ff3b919c997e988149d931813e2539983717e4d949fa04f6cccbc47b417
    Size: 874.83 kB

Asianux Server 7 for x86_64
  1. jss-4.4.6-3.el7_7.x86_64.rpm
    MD5: 24df8e7affa59a054f6ffab123ee78cd
    SHA-256: 5eff50935c869a47e77be95c40efed242daf69b498a695df1c79c940aa94030b
    Size: 1.12 MB