Bug 1959971 (CVE-2021-3551)

Summary: CVE-2021-3551 pki-server: Dogtag installer "pkispawn" logs admin credentials into a world-readable log file
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abokovoy, alee, alexander.m.scheel, cbuissar, cfu, ckelley, dsirrine, edewata, jmagne, kwright, mharmsen, mkdineshprasanth, rhcs-maint, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core 10.10.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-03 11:32:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1960143, 1960144, 1960145, 1960146, 1960147, 1960167, 1967401, 2184518    
Bug Blocks: 1959973, 1960325    

Description Pedro Sampaio 2021-05-12 18:17:15 UTC 
A flaw was found in pki-core 10.10. Older versions are not affected.

When the pkispawn command is run in debug mode, admin credentials are stored in the installation log file, which is world readable.
Comment 5 Cedric Buissart 2021-05-13 12:27:01 UTC 
Acknowledgments:

Name: Christian Heimes
Comment 8 Cedric Buissart 2021-06-03 06:03:13 UTC 
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1967401]
Comment 9 errata-xmlrpc 2021-06-03 11:06:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2235 https://access.redhat.com/errata/RHSA-2021:2235
Comment 10 Product Security DevOps Team 2021-06-03 11:32:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3551
Comment 11 Cedric Buissart 2021-06-14 15:30:58 UTC 
Upstream fixes:

https://github.com/dogtagpki/pki/commit/0c2f3b84499584bb6029f5ba3988ed3cb081e548
https://github.com/dogtagpki/pki/commit/b01cd8cc7d3e391e69ed2c8161f7e15fa84553e6
https://github.com/dogtagpki/pki/commit/5b09fcaff11d33010469e695ef365a91c91674b5