Red Hat Bugzilla – Bug 869579
CVE-2012-4556 pki-tps: Connection reset when performing empty certificate search in TPS
Last modified: 2015-08-22 02:46:28 EDT
A temporary denial of service flaw was found in the way token processing system of Certificate System processed user certificate search queries with certain empty search fields. A remote attacker could use this flaw to cause the main Apache httpd web server broker it to need to restart (resulting into situation where the client would obtain connection reset instead of proper error message), leading to (temporary) denial of service (resulting into any users currently in the middle of enrolling tokens to experience a connection drop and their in progress operation to be terminated).
The CVE identifier of CVE-2012-4556 has been assigned to this issue.
Red Hat would like to thank Patrick Raspante and Ryan Millay of GDC4S for reporting this issue.
Created pki-tps tracking bugs for this issue
Affects: fedora-all [bug 884830]
Affects: epel-5 [bug 884831]
This issue has been addressed in following products:
Red Hat Certificate System 8
Via RHSA-2012:1550 https://rhn.redhat.com/errata/RHSA-2012-1550.html