When configured with the leaf and chain OCSP policy, JSS assumes that the root is trusted, and there is no attempt to validate it. This could allow a specially crafted certificate to be accepted by the application, and could be used, for example, in Man in the Middle attacks.
Acknowledgments: Name: Alexander Scheel
Affected versions : 4.4.x : 4.4.6+ 4.5.x : versions after 4.5.3 4.6.x : 4.6.0+
Statement: Red Hat Certificate System 9.4 and above use the vulnerable policy. Red Hat Enterprise Satellite 6 does not ship a vulnerable version of the JSS library.
Created jss tracking bugs for this issue: Affects: fedora-all [bug 1761444]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3067 https://access.redhat.com/errata/RHSA-2019:3067
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14823
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2019:3225 https://access.redhat.com/errata/RHSA-2019:3225