Multiple security issues were found in FreeIPA's 'ca' plugin. Any authenticated but unauthorised user can delete, disable or enable CAs in Dogtag. The impact in the deletion case is denial of service for cert issuance or OCSP signing, and deletion of secret keys. The impact for disablement is denial of service for cert issuance.
Acknowledgments: Name: Fraser Tweedale (Red Hat)
Created freeipa tracking bugs for this issue: Affects: fedora-all [bug 1427094]
Fixed upstream: master: https://pagure.io/freeipa/c/b81ac59640f0b76fa9f53cf8be441f085a7089c4?branch=master ipa-4-4: https://pagure.io/freeipa/c/1aa314c79648c442473f19344387bfe11ec2141b?branch=ipa-4-4
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0388 https://rhn.redhat.com/errata/RHSA-2017-0388.html