CVE-2021-3698: 1992149 – (CVE-2021-3698) CVE-2021-3698 cockpit: authenticates with revoked certificates

Note: If your use of the APIs is failing with an error titled ‘API access must use the Authorization header’ then you need to read the API Authentication changes announcement

Bug 1992149 (CVE-2021-3698) - CVE-2021-3698 cockpit: authenticates with revoked certificates

Summary: CVE-2021-3698 cockpit: authenticates with revoked certificates

Keywords:

Status:

POST

Alias:

CVE-2021-3698

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

—

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

1992432 1992620 2005344 1993783 1998513

Blocks:

1988484 1992150

TreeView+

depends on / blocked

Reported:

2021-08-10 16:30 UTC by Guilherme de Almeida Suckevicz

Modified:

2022-02-28 14:42 UTC (History)

CC List:

19 users (show)

Fixed In Version:

cockpit 260

Doc Type:

If docs needed, set a value

Doc Text:

A flaw was found in Cockpit in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.

Clone Of:

Environment:

Last Closed:

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

Links

System

ID

Private

Priority

Status

Summary

Last Updated

Github

cockpit-project cockpit pull 16703

0

None

open

session: Validate client certificates against sssd’s trusted CA

2021-12-09 15:08:34 UTC