Bug 1747435 (CVE-2019-14823) - CVE-2019-14823 JSS: OCSP policy "Leaf and Chain" implicitly trusts the root certificate
Summary: CVE-2019-14823 JSS: OCSP policy "Leaf and Chain" implicitly trusts the root c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14823
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1747966 1747967 1747986 1747987 1761444
Blocks: 1746786
TreeView+ depends on / blocked
 
Reported: 2019-08-30 12:38 UTC by Cedric Buissart
Modified: 2021-12-14 18:47 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.
Clone Of:
Environment:
Last Closed: 2019-10-16 06:51:24 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3067 0 None None None 2019-10-15 17:47:37 UTC
Red Hat Product Errata RHSA-2019:3225 0 None None None 2019-10-29 14:02:35 UTC

Description Cedric Buissart 2019-08-30 12:38:06 UTC 
When configured with the leaf and chain OCSP policy, JSS assumes that the root is trusted, and there is no attempt to validate it.
This could allow a specially crafted certificate to be accepted by the application, and could be used, for example, in Man in the Middle attacks.
Comment 2 Cedric Buissart 2019-08-30 15:07:05 UTC 
Acknowledgments:

Name: Alexander Scheel
Comment 8 Cedric Buissart 2019-09-10 07:52:08 UTC 
Affected versions :
4.4.x : 4.4.6+
4.5.x : versions after 4.5.3
4.6.x : 4.6.0+
Comment 10 Cedric Buissart 2019-09-10 09:25:30 UTC 
Statement:

Red Hat Certificate System 9.4 and above use the vulnerable policy.

Red Hat Enterprise Satellite 6 does not ship a vulnerable version of the JSS library.
Comment 17 Cedric Buissart 2019-10-14 12:16:49 UTC 
Created jss tracking bugs for this issue:

Affects: fedora-all [bug 1761444]
Comment 18 errata-xmlrpc 2019-10-15 17:47:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3067 https://access.redhat.com/errata/RHSA-2019:3067
Comment 19 Product Security DevOps Team 2019-10-16 06:51:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14823
Comment 20 errata-xmlrpc 2019-10-29 14:02:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3225 https://access.redhat.com/errata/RHSA-2019:3225
Note You need to log in before you can comment on or make changes to this bug.