New CMC feature allows non-agent to submit request for automatic approval, one of them being "SharedToken" currently implemented only as hard-coded string. Anyone who knows about this hard-coded string could get themselves a certificate issued.
Created attachment 1298215 [details]
patch to disable SharedSecret plugin
Name: Christina Fu (Red Hat)
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:2335 https://access.redhat.com/errata/RHSA-2017:2335