Headline
RHSA-2022:8444: Red Hat Security Advisory: keylime security update
An update for keylime is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-3500: keylime: exception handling and impedance match in tornado_requests
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-11-15
Updated:
2022-11-15
RHSA-2022:8444 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: keylime security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for keylime is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution.
Security Fix(es):
- keylime: exception handling and impedance match in tornado_requests (CVE-2022-3500)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2135343 - CVE-2022-3500 keylime: exception handling and impedance match in tornado_requests
Red Hat Enterprise Linux for x86_64 9
SRPM
keylime-6.5.1-1.el9_1.src.rpm
SHA-256: 36ef9a6a001396d416991839dd3f3030dedabd67192ac6c94c11979725ae7c09
x86_64
keylime-6.5.1-1.el9_1.x86_64.rpm
SHA-256: a15749740a0b77a1196911fac1085e26ca0425114d86736fe8760365b13858c9
keylime-base-6.5.1-1.el9_1.x86_64.rpm
SHA-256: e06f0c33bb9dea3c9d125431e3479f08bf1c0de7fbe87b73640dd155f1e7bc5e
keylime-registrar-6.5.1-1.el9_1.x86_64.rpm
SHA-256: c4fc37af8a235ee38bb7129277cc4c5c1d64f8dc9824cf6e2a64aebee8cb5574
keylime-selinux-6.5.1-1.el9_1.noarch.rpm
SHA-256: 16f31b9c0f04ff0e39943dffd642d6f2915af8ab039b49cf15e4c96053485253
keylime-tenant-6.5.1-1.el9_1.x86_64.rpm
SHA-256: 2452e11736301a957d05e21ea261163f28c64f3563fa1fb67e7b94c34adf770d
keylime-verifier-6.5.1-1.el9_1.x86_64.rpm
SHA-256: 056a2ccd29ad8c6b9fe1b7e10a6491b7482e74982f55de674394ceddffa30c91
python3-keylime-6.5.1-1.el9_1.x86_64.rpm
SHA-256: e65efd33df95a8bf23105d30d87c8ad5527b863fd6bfe24a326b1a36031e5100
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
keylime-6.5.1-1.el9_1.src.rpm
SHA-256: 36ef9a6a001396d416991839dd3f3030dedabd67192ac6c94c11979725ae7c09
s390x
keylime-6.5.1-1.el9_1.s390x.rpm
SHA-256: 0a0fd4f9ae0374b0727129fdde57fcc197da489e4ea1f990b4885b2b6a9cd664
keylime-base-6.5.1-1.el9_1.s390x.rpm
SHA-256: eeba95ad7da4a64cee74c22cd8b2521f2701550a7ac2088ac8898df6e3babb07
keylime-registrar-6.5.1-1.el9_1.s390x.rpm
SHA-256: d944491a727833852f7317ee0a96af1d008f5234053b7e8b558449167737d2cf
keylime-selinux-6.5.1-1.el9_1.noarch.rpm
SHA-256: 16f31b9c0f04ff0e39943dffd642d6f2915af8ab039b49cf15e4c96053485253
keylime-tenant-6.5.1-1.el9_1.s390x.rpm
SHA-256: 781e754d776401a31869681d6b25aa5507b368611510acf70d85ff93532015c4
keylime-verifier-6.5.1-1.el9_1.s390x.rpm
SHA-256: 73cdf16206a9a6124465a600d6e5a5724eeb555429170dea77921be6482b6058
python3-keylime-6.5.1-1.el9_1.s390x.rpm
SHA-256: ba17221580809eba0e54952b37a435609fee3220439bd46c854104ccaab80e60
Red Hat Enterprise Linux for Power, little endian 9
SRPM
keylime-6.5.1-1.el9_1.src.rpm
SHA-256: 36ef9a6a001396d416991839dd3f3030dedabd67192ac6c94c11979725ae7c09
ppc64le
keylime-6.5.1-1.el9_1.ppc64le.rpm
SHA-256: f4de23936954056d4e5d5c965390cc40ceea6dfe510869b9e5a5348a6ca8262d
keylime-base-6.5.1-1.el9_1.ppc64le.rpm
SHA-256: c6c4693212dd4a68c45c3452c66036639800ca6384349badeff53a874573c922
keylime-registrar-6.5.1-1.el9_1.ppc64le.rpm
SHA-256: 8cea68972f45bf8b58a8973ce23930e75ba6ce7213d1947516427018f7781613
keylime-selinux-6.5.1-1.el9_1.noarch.rpm
SHA-256: 16f31b9c0f04ff0e39943dffd642d6f2915af8ab039b49cf15e4c96053485253
keylime-tenant-6.5.1-1.el9_1.ppc64le.rpm
SHA-256: 7cd96a157735b8ba8ebeb8b83bdf824183621c75d8b5cafb425c3a3bea28fe62
keylime-verifier-6.5.1-1.el9_1.ppc64le.rpm
SHA-256: 46a149e995a252c0e951335e921e4cf9f45d8546584f35c07b024e67a0ee9cad
python3-keylime-6.5.1-1.el9_1.ppc64le.rpm
SHA-256: 6fce3d624e2aeccff9ab356df7e9eb1d16e1a53599d9b3986f1c342a79c0cc74
Red Hat Enterprise Linux for ARM 64 9
SRPM
keylime-6.5.1-1.el9_1.src.rpm
SHA-256: 36ef9a6a001396d416991839dd3f3030dedabd67192ac6c94c11979725ae7c09
aarch64
keylime-6.5.1-1.el9_1.aarch64.rpm
SHA-256: daf261885b348a648cf66ff488f752725e83e4105cb69a55ed8a24e28c9717e0
keylime-base-6.5.1-1.el9_1.aarch64.rpm
SHA-256: e9432cc17aff58f18ef5a85e6c65873660f483ddb502acb9dc29ed2959a27a55
keylime-registrar-6.5.1-1.el9_1.aarch64.rpm
SHA-256: 336cfab154f6087ff5978a24ad94fe835c363a302ca2e58d993cf19c3c188941
keylime-selinux-6.5.1-1.el9_1.noarch.rpm
SHA-256: 16f31b9c0f04ff0e39943dffd642d6f2915af8ab039b49cf15e4c96053485253
keylime-tenant-6.5.1-1.el9_1.aarch64.rpm
SHA-256: b398fbf4d49c925ca1762206461e748c1dd6b69c84fc751b321997a7047f0867
keylime-verifier-6.5.1-1.el9_1.aarch64.rpm
SHA-256: 17e979e11f09a51fe785f7e450a505048ecc8e7818960054d9ef554a2c9d0503
python3-keylime-6.5.1-1.el9_1.aarch64.rpm
SHA-256: c04cf3efb2002819249c40ae310c435bd32281bc6a055356d1de8d7c9f48ebe5
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
A vulnerability was found in keylime. This security issue happens in some circumstances, due to some improperly handled exceptions, there exists the possibility that a rogue agent could create errors on the verifier that stopped attestation attempts for that host leaving it in an attested state but not verifying that anymore.
### Impact This vulnerability creates a false sense of security for keylime users -- i.e. a user could query keylime and conclude that a parcitular node/agent is correctly attested, while attestations are not in fact taking place. **Short explanation**: the keylime verifier creates periodic reports on the state of each attested agent. The keylime verifier runs a set of python asynchronous processes to challenge attested nodes and create reports on the outcome. The vulnerability consists of the above named python asynchronous processes failing silently, i.e. quitting without leaving behind a database entry, raising an error or producing even a mention of an error in a log. The silent failure can be triggered by a small set of transient network failure conditions; recoverable device driver crashes being one such condition we saw in the wild. ### Patches The problem is fixed in keylime starting with tag 6.5.1 ### Workarounds This [patch](https://github.com/keylime/keylime/pull/112...