New CMC feature allows non-agent to submit request for automatic approval, one of them being "SharedToken" currently implemented only as hard-coded string. Anyone who knows about this hard-coded string could get themselves a certificate issued. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1466486 Upstream patch: https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9
Created attachment 1298215 [details] patch to disable SharedSecret plugin
Acknowledgments: Name: Christina Fu (Red Hat)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2335 https://access.redhat.com/errata/RHSA-2017:2335