Summary: a user with 'retrieve certificate' permission can revoke any certificate. The 'revoke certificate' permission is not required. Detail: the 'cert_revoke' command does check for the 'revoke certificate' permission, however, if an access error is raised, it then invokes the 'cert_show' command. The rational was to re-use a "self-service" check that is part of the 'cert_show' command, however, it is sufficient that 'cert_show' execute successfully for 'cert_revoke' to recover from the access error and continue. Therefore, anyone with 'retrieve certificate' permission can revoke *any* certificate. Impact: anyone with 'retrieve certificate' permission can cause various kinds of DoS by revoking any cert they want. Scope: Every supported versions of RHEL with IDM are affected.
Acknowledgments: Name: Fraser Tweedale (Red Hat)
Created freeipa tracking bugs for this issue: Affects: fedora-all [bug 1367883]
freeipa-4.3.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:1797 https://rhn.redhat.com/errata/RHSA-2016-1797.html