Fedora Account System
Red Hat Associate
Red Hat Customer
When configured with the leaf and chain OCSP policy, JSS assumes that the root is trusted, and there is no attempt to validate it. This could allow a specially crafted certificate to be accepted by the application, and could be used, for example, in Man in the Middle attacks.
Acknowledgments: Name: Alexander Scheel
Affected versions : 4.4.x : 4.4.6+ 4.5.x : versions after 4.5.3 4.6.x : 4.6.0+
Statement: Red Hat Certificate System 9.4 and above use the vulnerable policy. Red Hat Enterprise Satellite 6 does not ship a vulnerable version of the JSS library.
Created jss tracking bugs for this issue: Affects: fedora-all [bug 1761444]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3067 https://access.redhat.com/errata/RHSA-2019:3067
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14823
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2019:3225 https://access.redhat.com/errata/RHSA-2019:3225