pki-core-10.5.18-12.el7
エラータID: AXSA:2021-1610:01
リリース日:
2021/03/24 Wednesday - 04:26
題名:
pki-core-10.5.18-12.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- pki-core には、CAエージェントサービスが証明書のリクエストページを
正しくサニタイズしないため、反射型のクロスサイトスクリプティング攻撃が
可能な問題があり、攻撃者がユーザーのブラウザ上で実行することが可能な、
巧妙に細工された値を挿入することができる脆弱性があります。(CVE-2019-10146)
- pki-core には、Key Recovery Authority (KRA) エージェントサービスがリクエストサーチページを
正しくサニタイズしないため、攻撃者が認証されたユーザーに、巧妙に細工された
Javascript コードを実行させる脆弱性があります。(CVE-2019-10179)
- pki-core の pki-ca モジュールには、GET URL パラメーターがサニタイズされないため、
反射型のクロスサイトスクリプティング攻撃が可能な問題があり、攻撃者は
ブラウザで開いたときに任意のコード実行が可能な、巧妙に細工されたリンクを
認証されたユーザーにクリックさせるためにクロスサイトスクリプティング攻撃を
乱用する脆弱性があります。(CVE-2019-10221)
- pki-core には、鍵の解析に成功した攻撃者が、対応する証明書が
明確に無効にされていない限り、繰り返して何度も更新できてしまう
脆弱性があります。(CVE-2021-20179)
現時点では CVE-2020-1721, CVE-2020-25715 の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2019-10146
A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.
A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.
CVE-2019-10179
A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.
A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.
CVE-2019-10221
A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser.
A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser.
CVE-2020-1721
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-25715
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-20179
A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity.
A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity.
追加情報:
N/A
ダウンロード:
SRPMS
- pki-core-10.5.18-12.el7.src.rpm
MD5: 420a0b6a446f06ac8cba022c6f1caa71
SHA-256: f2ab61029e8243cccc78a1e591475344cf7b9b57aaf487b60cc03be54d37c258
Size: 4.86 MB
Asianux Server 7 for x86_64
- pki-base-10.5.18-12.el7.noarch.rpm
MD5: 6df2b19b80d22a661cbaf9ca6e569aa2
SHA-256: c965ffac3d338c804b541df46acb70431ba58d518034dfee4ea2415e10c77dc2
Size: 427.74 kB - pki-base-java-10.5.18-12.el7.noarch.rpm
MD5: 6332e7150d0e0ffadf557bff1c3a9d7c
SHA-256: d3a52d8cdd71d76a7b34bb3170c2acdaacc1521f04b3986cac85ca6890c51561
Size: 1.21 MB - pki-ca-10.5.18-12.el7.noarch.rpm
MD5: c918ec5f788c0813181f80402db7ba9f
SHA-256: cb3a559b44f5ca27e00295094d2ecc6230b1781c78932fe5da6e0d8a78bc6a97
Size: 484.50 kB - pki-kra-10.5.18-12.el7.noarch.rpm
MD5: 0f3aa613790957d774dcfdfc75f3bc9c
SHA-256: 24727c4b1e3bf4383fb0ed0d3e99935d8754c071751ba71315ccd526f1cbaf27
Size: 306.66 kB - pki-server-10.5.18-12.el7.noarch.rpm
MD5: d2029ff7abdbd46afd7ad80b2649a04e
SHA-256: 9c5f305a7b2ee23c6a9e606131af481a354b431a7b72648b4b7f96c5156bba2f
Size: 2.94 MB - pki-symkey-10.5.18-12.el7.x86_64.rpm
MD5: f93498aae1ce081e6be8f7537ab65487
SHA-256: b8824e56d0053d2a42bf180b3d81877562711b265d4eab687e99d6badfcf983a
Size: 168.60 kB - pki-tools-10.5.18-12.el7.x86_64.rpm
MD5: 2534dafe7494aa117af7bbbe7cd09875
SHA-256: 0723f8c0862dac6eb285c9e4fbe5d040744caadcdb8529137a8fb29f897984ef
Size: 768.31 kB
English