bugzilla.redhat.com
Open in
urlscan Pro
2a02:26f0:fb:5b1::762
Public Scan
URL:
https://bugzilla.redhat.com/show_bug.cgi?id=1992149
Submission: On March 15 via api from SE — Scanned from DE
Submission: On March 15 via api from SE — Scanned from DE
Form analysis 5 forms found in the DOM
POST show_bug.cgi?id=1992149
<form action="show_bug.cgi?id=1992149" method="POST" class="mini_login " id="mini_login">
<input id="Bugzilla_login" required="" name="Bugzilla_login" class="bz_login" type="email" placeholder="Email Address">
<input class="bz_password" name="Bugzilla_password" type="password" id="Bugzilla_password" required="" placeholder="Password">
<input type="hidden" name="Bugzilla_login_token" value="">
<input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in">
</form>POST token.cgi
<form action="token.cgi" method="post" id="forgot_form" class="mini_forgot bz_default_hidden">
<label for="login">Login:</label>
<input name="loginname" size="20" id="login" required="" type="email" placeholder="Your Email Address">
<input id="forgot_button" value="Reset Password" type="submit">
<input type="hidden" name="a" value="reqpw">
<input type="hidden" id="token" name="token" value="1647331771-69blqKDUpIb_7tbp_LsFmZ5fWZSawivTT8wqH2Q-M1k">
<p>
<a href="#" onclick="return hide_forgot_form('')"><i class="fa fa-exclamation-triangle" aria-hidden="true"></i> Hide Forgot</a>
</p>
</form>GET buglist.cgi
<form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '')
{ alert('Please enter one or more search terms first.');
return false; } return true;">
<input type="hidden" id="no_redirect_top" name="no_redirect" value="1">
<script type="text/javascript">
if (history && history.replaceState) {
var no_redirect = document.getElementById("no_redirect_top");
no_redirect.value = 1;
}
</script>
<input class="txt" type="text" id="quicksearch_top" name="quicksearch" title="Quick Search" value="">
<input class="btn" type="submit" value="Search" id="find_top">
</form>Name: changeform — POST process_bug.cgi
<form name="changeform" id="changeform" method="post" action="process_bug.cgi">
<input type="hidden" name="delta_ts" value="2022-02-28 14:42:40">
<input type="hidden" name="id" value="1992149">
<input type="hidden" name="token" value="1647331771-ibKv1qQhQdgb3nWf4nY8NjEhMzWELVFX3XrtOC7JCTs">
<div class="bz_short_desc_container edit_form">
<a href="show_bug.cgi?id=1992149"><b>Bug 1992149</b></a> <span id="summary_container"> (<span id="alias_nonedit_display">CVE-2021-3698</span>) - <span
id="short_desc_nonedit_display"><a href="https://access.redhat.com/security/cve/CVE-2021-3698">CVE-2021-3698</a> cockpit: authenticates with revoked certificates</span>
</span>
<div id="summary_input" class="bz_default_hidden"><span class="field_label " id="field_label_short_desc">
<a title="The bug summary is a short sentence which succinctly describes what the bug is about." class="field_help_link" href="page.cgi?id=fields.html#short_desc">Summary:</a>
</span>CVE-2021-3698 cockpit: authenticates with revoked certificates </div>
</div>
<script type="text/javascript">
hideEditableField('summary_container', 'summary_input', 'summary_edit_action', 'short_desc', 'CVE-2021-3698 cockpit: authenticates with revoked certificates');
</script>
<table class="edit_form">
<tbody>
<tr>
<td id="bz_show_bug_column_1" class="bz_show_bug_column">
<table>
<tbody>
<tr>
<th class="field_label">
<a href="describekeywords.cgi">Keywords</a>:
</th>
<td>
<div class="keywords_select">
<select id="keywords" name="keywords" disabled="" multiple="multiple" tabindex="-1" class="selectized" style="display: none;">
<option value="Security" selected="selected">Security </option>
</select>
<div class="selectize-control multi plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-related_fields plugin-load_from_js">
<div class="selectize-input items not-full has-options has-items disabled locked">
<div class="item"
title="Bugs with the "Security" keyword are those that relate to a security vulnerability with a Red Hat product or service. For further information on how to report a security vulnerability to Red Hat please see the "Security Contacts and Procedures" page at http://www.redhat.com/security/team/contact/"
data-value="Security">Security <a href="javascript:void(0)" class="remove" tabindex="-1" title="Remove">×</a></div><input type="select-multiple" autocomplete="off" tabindex="-1" id="keywords-selectized" disabled=""
style="width: 4px;">
</div>
<div class="selectize-dropdown multi plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-related_fields plugin-load_from_js" style="display: none;">
<div class="selectize-dropdown-content"></div>
</div>
</div>
</div>
</td>
</tr>
<tr>
<th class="field_label">
<a href="page.cgi?id=fields.html#bug_status">Status</a>:
</th>
<td id="bz_field_status">
<span id="static_bug_status">POST </span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_alias">
<a title="A short, unique name assigned to a bug in order to assist with looking it up and referring to it in other places in Bugzilla." class="field_help_link" href="page.cgi?id=fields.html#alias">Alias:</a>
</th>
<td>CVE-2021-3698 </td>
</tr>
<tr>
<th class="field_label " id="field_label_product">
<a title="Bugs are categorised into Products and Components. Select a Classification to narrow down this list." class="field_help_link" href="describecomponents.cgi">Product:</a>
</th>
<td class="field_value " id="field_container_product">Security Response </td>
</tr>
<tr class="bz_default_hidden">
<th class="field_label " id="field_label_classification">
<a title="Bugs are categorised into Classifications, Products and Components. classifications is the top-level categorisation." class="field_help_link" href="page.cgi?id=fields.html#classification">Classification:</a>
</th>
<td class="field_value " id="field_container_classification">Other </td>
</tr>
<tr>
<th class="field_label " id="field_label_component">
<a title="Components are second-level categories; each belongs to a particular Product. Select a Product to narrow down this list." class="field_help_link" href="describecomponents.cgi?product=Security Response">Component:</a>
</th>
<td>
<input type="hidden" id="component" name="component" value="vulnerability">vulnerability <span class="show_others">
<a href="buglist.cgi?component=vulnerability&product=Security%20Response" title="Show other bugs for this component"><i class="fas fa-th-list"></i></a>
<a href="enter_bug.cgi?component=vulnerability&product=Security%20Response&version=unspecified" title="Create a new bug for this component"><i class="fas fa-plus-circle"></i></a>
</span>
</td>
</tr>
<tr>
<th id="bz_rh_sub_component_input_th" class="field_label bz_default_hidden">
<label for="rh_sub_component-selectized" class="selectized">
<a class="field_help_link" href="page.cgi?id=fields.html#rh_sub_components" title="The sub component of a specific component">Sub Component:</a>
</label>
</th>
<td id="bz_rh_sub_component_input_td" class="bz_default_hidden">
<input type="hidden" name="defined_rh_sub_component" id="defined_rh_sub_component" value="0">
<select name="rh_sub_component" id="rh_sub_component" disabled="" onchange="assign_to_default();" placeholder="Type a sub-component name" tabindex="-1" class="selectized" style="display: none;">
<option value="" selected="selected"></option>
</select>
<div class="selectize-control single plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-form_history plugin-related_fields">
<div class="selectize-input items not-full disabled locked"><input type="select-one" autocomplete="off" tabindex="-1" id="rh_sub_component-selectized" placeholder="Type a sub-component name" disabled="" style="width: 172.391px;">
</div>
<div class="selectize-dropdown single plugin-remove_button plugin-minimum_search_length plugin-extra_keys_control plugin-form_history plugin-related_fields" style="display: none;">
<div class="selectize-dropdown-content"></div>
</div>
</div>
<script>
$(document).ready(function() {
if (!$('#rh_sub_component').hasClass('selectized')) {
init_sub_components();
}
});
</script>
<span class="show_others">
<a href="buglist.cgi?component=vulnerability&product=Security%20Response" title="Show other bugs for this sub-component"><i class="fas fa-th-list"></i></a>
</span>
</td>
</tr>
<script>
function rh_check_sub_components() {
var ret = '';
var sub_comp_obj = document.getElementById('rh_sub_component');
if ($('#defined_rh_sub_component').val() == 1 && !$("#rh_sub_component").selectize()[0].selectize.getValue()) {
if (!ret) ret = sub_comp_obj;
_sub_comps_errorFor(sub_comp_obj, "You must specify the sub component");
}
return ret;
}
function _sub_comps_errorFor(field, error_text) {
var new_node = document.createElement('div');
YAHOO.util.Dom.addClass(new_node, 'validation_error_text');
new_node.innerHTML = error_text;
YAHOO.util.Dom.insertAfter(new_node, field);
YAHOO.util.Dom.addClass(field, 'validation_error_field');
new_node.scrollIntoView();
}
</script>
<tr>
<th class="field_label " id="field_label_version">
<a title="The version field defines the version of the software the bug was found in." class="field_help_link" href="page.cgi?id=fields.html#version">Version:</a>
</th>
<td>
<span id="version">unspecified </span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_rep_platform">
<a title="The hardware platform the bug was observed on. Note: When searching, selecting the option "All" only finds bugs whose value for this field is literally the word "All"." class="field_help_link" href="page.cgi?id=fields.html#rep_platform">Hardware:</a>
</th>
<td class="field_value">All </td>
</tr>
<tr>
<th class="field_label " id="field_label_op_sys">
<a title="The operating system the bug was observed on. Note: When searching, selecting the option "All" only finds bugs whose value for this field is literally the word "All"." class="field_help_link" href="page.cgi?id=fields.html#op_sys">OS:</a>
</th>
<td class="field_value"> Linux </td>
</tr>
<tr>
<th class="field_label">
<label accesskey="i">
<a href="page.cgi?id=fields.html#priority">Priority:</a></label>
</th>
<td>medium </td>
</tr>
<tr>
<th class="field_label">
<label><a href="page.cgi?id=fields.html#bug_severity">Severity:</a>
</label>
</th>
<td> medium </td>
</tr>
<tr>
<th class="field_label " id="field_label_target_milestone">
<a title="The Target Milestone field is used to define when the engineer the bug is assigned to expects to fix it." class="field_help_link" href="page.cgi?id=fields.html#target_milestone">Target Milestone:</a>
</th>
<td>
<span id="target_milestone">--- </span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_assigned_to">
<a title="The person in charge of resolving the bug." class="field_help_link" href="page.cgi?id=fields.html#assigned_to">Assignee:</a>
</th>
<td><span class="vcard redhat_user"><span class="fn">Red Hat Product Security</span>
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_qa_contact">
<a title="The person responsible for confirming this bug if it is unconfirmed, and for verifying the fix once the bug has been resolved." class="field_help_link" href="page.cgi?id=fields.html#qa_contact">QA Contact:</a>
</th>
<td><span class="vcard ">
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_docs_contact">
<label for="docs_contact" accesskey="q">
<a title="The person responsible for documenting once the bug has been resolved." class="field_help_link" href="page.cgi?id=fields.html#docs_contact">Docs Contact:</a>
</label>
</th>
<td><span class="vcard ">
</span>
</td>
</tr>
<script type="text/javascript">
assignToDefaultOnChange(['product', 'component'], 'security-response-team\x40redhat.com', '', '');
</script>
<tr>
<th class="field_label " id="field_label_bug_file_loc">
<a title="Bugs can have a URL associated with them - for example, a pointer to a web site where the problem is seen." class="field_help_link" href="page.cgi?id=fields.html#bug_file_loc">URL:</a>
</th>
<td>
<span id="bz_url_input_area">
</span>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_status_whiteboard">
<a title="Each bug has a free-form single line text entry box for adding tags and status information." class="field_help_link" href="page.cgi?id=fields.html#status_whiteboard">Whiteboard:</a>
</th>
<td>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_dependson">
<a title="The bugs listed here must be resolved before this bug can be resolved." class="field_help_link" href="page.cgi?id=fields.html#dependson">Depends On:</a>
</th>
<td>
<span id="dependson_input_area">
</span>
<a class="bz_bug_link
bz_status_VERIFIED
" title="VERIFIED - Add client certificate validation D-Bus API (dependency of cockpit CVE-2021-3698 fix)" href="show_bug.cgi?id=1992432">1992432</a> <a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=1992620">1992620</a> <a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=2005344">2005344</a> <a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=1993783">1993783</a> <a class="bz_bug_link
bz_status_CLOSED bz_closed
" title="CLOSED ERRATA - CVE-2021-3698 cockpit: authenticates with revoked certificates [fedora-all]" href="show_bug.cgi?id=1998513">1998513</a>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_blocked">
<a title="This bug must be resolved before the bugs listed in this field can be resolved." class="field_help_link" href="page.cgi?id=fields.html#blocked">Blocks:</a>
</th>
<td>
<span id="blocked_input_area">
</span>
<a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=1988484">1988484</a> <a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=1992150">1992150</a>
</td>
</tr>
<tr>
<th class="field_label">TreeView+</th>
<td>
<a href="buglist.cgi?bug_id=1992149&bug_id_type=anddependson&format=tvp">
depends on</a> / <a href="buglist.cgi?bug_id=1992149&bug_id_type=andblocked&format=tvp&tvp_dir=blocked">
blocked</a>
</td>
<td></td>
</tr>
</tbody>
</table>
</td>
<td>
<div class="bz_column_spacer"> </div>
</td>
<td id="bz_show_bug_column_2" class="bz_show_bug_column">
<table>
<tbody>
<tr>
<th class="field_label">
<a href="page.cgi?id=fields.html#reporter">Reported:</a>
</th>
<td>2021-08-10 16:30 UTC by <span class="vcard redhat_user"><span class="fn">Guilherme de Almeida Suckevicz</span>
</span>
</td>
</tr>
<tr>
<th class="field_label">
<a href="page.cgi?id=fields.html#modified">Modified:</a>
</th>
<td>2022-02-28 14:42 UTC (<a href="show_activity.cgi?id=1992149">History</a>) </td>
</tr>
<tr>
<th class="field_label">
<label accesskey="a">
<a href="page.cgi?id=fields.html#cclist">CC List:</a>
</label>
</th>
<td>19 users <span id="cc_edit_area_showhide_container"> (<a href="#" id="cc_edit_area_showhide">show</a>) </span>
<div id="cc_edit_area" class="bz_default_hidden">
<br>
<select id="cc" multiple="multiple" size="5">
<option value="bmontgom">bmontgom</option>
<option value="dperpeet">dperpeet</option>
<option value="eparis">eparis</option>
<option value="gkamathe">gkamathe</option>
<option value="jburrell">jburrell</option>
<option value="lmanasko">lmanasko</option>
<option value="michal.skrivanek">michal.skrivanek</option>
<option value="mmarusak">mmarusak</option>
<option value="mperina">mperina</option>
<option value="mpitt">mpitt</option>
<option value="nstielau">nstielau</option>
<option value="patrick">patrick</option>
<option value="pvolpe">pvolpe</option>
<option value="sbonazzo">sbonazzo</option>
<option value="security-response-team">security-response-team</option>
<option value="sgrubb">sgrubb</option>
<option value="sponnaga">sponnaga</option>
<option value="ssorce">ssorce</option>
<option value="stefw">stefw</option>
</select>
</div>
<script type="text/javascript">
hideEditableField('cc_edit_area_showhide_container', 'cc_edit_area', 'cc_edit_area_showhide', '', '');
</script>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_fixed_in">
<a title="The full package version. PGM uses to check if brew ...">Fixed In Version:</a>
</th>
<td class="field_value " id="field_container_cf_fixed_in" colspan="2">cockpit 260 </td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_doc_type">
<a title="Click the information icon to the right to see the description">Doc Type:</a>
<i class="fas fa-info-circle pop-text" onclick="alertify.alert('Doc Type', BB_FIELDS['cf_doc_type'].long_desc)" title="Click to see full description"></i>
</th>
<td class="field_value " id="field_container_cf_doc_type" colspan="2">If docs needed, set a value <span id="cf_doc_warn"></span></td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_release_notes">
<a title="Click the information icon to the right to see the description">Doc Text:</a>
<i class="fas fa-info-circle pop-text" onclick="alertify.alert('Doc Text', BB_FIELDS['cf_release_notes'].long_desc)" title="Click to see full description"></i>
</th>
<td class="field_value " id="field_container_cf_release_notes" colspan="2">
<div class="uneditable_textarea">A flaw was found in Cockpit in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate
successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.</div>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_clone_of">
<a title="The bug listed here was the bug cloned to create thi...">Clone Of:</a>
</th>
<td class="field_value " id="field_container_cf_clone_of" colspan="2">
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_environment">
<a title="This field is used for unformatted text that helps t...">Environment:</a>
</th>
<td class="field_value " id="field_container_cf_environment" colspan="2">
<div class="uneditable_textarea"></div>
</td>
</tr>
<tr>
<th class="field_label " id="field_label_cf_last_closed">
<a title="When this bug was last marked as closed. Used for st...">Last Closed:</a>
</th>
<td class="field_value " id="field_container_cf_last_closed" colspan="2">
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td colspan="3">
<hr id="bz_top_half_spacer">
</td>
</tr>
</tbody>
</table>
<table id="bz_big_form_parts">
<tbody>
<tr>
<td>
<script type="text/javascript">
<!--
function toggle_display(link) {
var table = document.getElementById("attachment_table");
var view_all = document.getElementById("view_all");
var hide_obsolete_url_parameter = "&hide_obsolete=1";
// Store current height for scrolling later
var originalHeight = table.offsetHeight;
var rows = YAHOO.util.Dom.getElementsByClassName('bz_tr_obsolete', 'tr', table);
for (var i = 0; i < rows.length; i++) {
bz_toggleClass(rows[i], 'bz_default_hidden');
}
if (YAHOO.util.Dom.hasClass(rows[0], 'bz_default_hidden')) {
link.innerHTML = "Show Obsolete";
view_all.href = view_all.href + hide_obsolete_url_parameter
} else {
link.innerHTML = "Hide Obsolete";
view_all.href = view_all.href.replace(hide_obsolete_url_parameter, "");
}
var newHeight = table.offsetHeight;
// This scrolling makes the window appear to not move at all.
window.scrollBy(0, newHeight - originalHeight);
return false;
}
//
-->
</script>
<br>
<table id="attachment_table">
<tbody>
<tr id="a0">
<th align="left"> Attachments </th>
<th colspan="2" align="right">
<a href="page.cgi?id=terms-conditions.html">(Terms of Use)</a>
</th>
</tr>
<tr class="bz_attach_footer">
<td colspan="3">
<a href="attachment.cgi?bugid=1992149&action=enter">Add an attachment</a> (proposed patch, testcase, etc.)
</td>
</tr>
</tbody>
</table>
<br>
<script>
YAHOO.ExternalBugs.sUrlYUI = 'https://bugzilla.redhat.com/jsonrpc.cgi';
YAHOO.ExternalBugs.sUrlRPC = 'https://bugzilla.redhat.com/xmlrpc.cgi';
YAHOO.ExternalBugs.extRefreshList = [];
function _extbz_errorFor(field, error_text) {
var new_node = document.createElement('div');
YAHOO.util.Dom.addClass(new_node, 'validation_error_text');
new_node.innerHTML = error_text;
YAHOO.util.Dom.insertAfter(new_node, field);
YAHOO.util.Dom.addClass(field, 'validation_error_field');
return new_node;
}
function check_external_bugs(f) {
var focus_me;
var external_bugs = YAHOO.util.Dom.getElementsByClassName('external_bug_id', null, f);
for (var i = 0; i < external_bugs.length; i++) {
var bug_id_key = external_bugs[i].name;
var bug_type_key = 'external_' + bug_id_key.substr(13);
if ($('#' + bug_id_key).length > 0) {
var bug_id = document.getElementById(bug_id_key).value;
var bug_type = document.getElementById(bug_type_key).value;
if ((bug_type == '' || bug_type == '0') && bug_id != '') {
focus_me = _extbz_errorFor(document.getElementById(bug_type_key), 'You specified the external tracker id, but not the type');
} else if (bug_type != '' && bug_type != '0' && bug_id == '') {
focus_me = _extbz_errorFor(external_bugs[i], 'You specified the external tracker type, but not the id');
} else if (bug_type != '' && bug_id != '') {}
}
}
return focus_me;
}
var bz_no_validate_enter_bug = false;
function validateChangeBug(changeform) {
// This is for the "bookmarkable templates" button.
if (bz_no_validate_enter_bug) {
// Set it back to false for people who hit the "back" button
bz_no_validate_enter_bug = false;
return true;
}
var current_errors = YAHOO.util.Dom.getElementsByClassName('validation_error_text', null, changeform);
for (var i = 0; i < current_errors.length; i++) {
current_errors[i].parentNode.removeChild(current_errors[i]);
}
var current_error_fields = YAHOO.util.Dom.getElementsByClassName('validation_error_field', null, changeform);
for (var i = 0; i < current_error_fields.length; i++) {
var field = current_error_fields[i];
YAHOO.util.Dom.removeClass(field, 'validation_error_field');
}
var focus_me;
// REDHAT EXTENSION 1000743
focus_me = check_external_bugs(changeform);
if (focus_me) {
focus_me.scrollIntoView(false);
return false;
}
return true;
}
changeform.onsubmit = function() {
return validateChangeBug(changeform)
};
</script>
<br>
<table id="external_bugs_table" cellspacing="0" cellpadding="4">
<caption name="et0" id="et0">Links</caption>
<tbody>
<tr>
<th>System</th>
<th>ID</th>
<th>Private</th>
<th>Priority</th>
<th>Status</th>
<th>Summary</th>
<th>Last Updated</th>
</tr>
<tr id="ext_row_1916716">
<td>Github </td>
<td>
<a href="https://github.com/cockpit-project/cockpit/pull/16703">cockpit-project cockpit pull 16703</a>
</td>
<td>
<span id="ext_is_private_1916716">0 </span>
</td>
<td>
<span id="ext_priority_1916716">None </span>
</td>
<td>
<span id="ext_status_1916716">open </span>
</td>
<td>
<span id="ext_description_1916716" title="session: Validate client certificates against sssd's trusted CA">session: Validate client certificates against sssd's trusted CA </span>
</td>
<td>
<span id="ext_last_updated_1916716">2021-12-09 15:08:34 UTC </span>
</td>
</tr>
</tbody>
</table>
<br>
</td>
<td class="groups">
</td>
</tr>
</tbody>
</table>
<div id="comments">
<script type="text/javascript">
<!--
/* Adds the reply text to the 'comment' textarea */
function replyToComment(id, real_id, name) {
var prefix = "(In reply to " + name + " from comment #" + id + ")\n";
var replytext = "";
/* pre id="comment_name_N" */
var text_elem = document.getElementById('comment_text_' + id);
var text = getText(text_elem);
replytext = prefix + wrapReplyText(text);
/* <textarea id="comment"> */
var textarea = document.getElementById('comment');
if (textarea.value != replytext) {
textarea.value += replytext;
}
textarea.focus();
}
//
-->
</script>
<!-- This auto-sizes the comments and positions the collapse/expand links
to the right. -->
<table class="bz_comment_table">
<tbody>
<tr>
<td>
<div id="c0" class="bz_comment bz_first_comment
">
<div class="bz_first_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1992149#c0">Description</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Guilherme de Almeida Suckevicz</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-08-10 16:30:23 UTC </span>
</div>
<pre class="bz_comment_text">A flaw was found in Cockpit in the way it handles the certificate verification performed by SSSD and allows client certificates to successfully authenticate regardless of the CRL configuration or the certificate status.
</pre>
</div>
<div id="c4" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1992149#c4">Comment 4</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user">gkamathe </span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-08-17 16:33:02 UTC </span>
</div>
<pre class="bz_comment_text">(1) This is not currently a supported use case. The documentation [0] warns that cockpit doesn't do any meaningful verification of the certificate (it does reject expired ones, but no CA/CRL). This behaviour is not a secret, so it might be beneficial to make this unembargoed, to have a pointer for other affected users.
(2) Fixing this properly requires adding a validation D-Bus API to sssd [1]. I filed <a class="bz_bug_link
bz_status_VERIFIED
" title="VERIFIED - Add client certificate validation D-Bus API (dependency of cockpit CVE-2021-3698 fix)" href="show_bug.cgi?id=1992432">bug 1992432</a> for tracking this.
[0] <a href="https://cockpit-project.org/guide/latest/cert-authentication.html">https://cockpit-project.org/guide/latest/cert-authentication.html</a>
[1] <a href="https://github.com/SSSD/sssd/issues/5224">https://github.com/SSSD/sssd/issues/5224</a>
</pre>
</div>
<div id="c7" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1992149#c7">Comment 7</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Sandipan Roy</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-08-27 12:49:25 UTC </span>
</div>
<pre class="bz_comment_text">Created cockpit tracking bugs for this issue:
Affects: fedora-all [<a class="bz_bug_link
bz_status_CLOSED bz_closed
" title="CLOSED ERRATA - CVE-2021-3698 cockpit: authenticates with revoked certificates [fedora-all]" href="show_bug.cgi?id=1998513">bug 1998513</a>]
</pre>
</div>
<div id="c8" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1992149#c8">Comment 8</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Sandro Bonazzola</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-08-27 13:15:40 UTC </span>
</div>
<pre class="bz_comment_text">Is this going to be fixed for RHEL 7? I'm asking because we got a tracker opened on RHV-M 4.3 (<a class="bz_bug_link
bz_secure
" title="" href="show_bug.cgi?id=1993783">bug #1993783</a> ) which is cross-shipping cockpit from RHEL 7 and if it's not going to be fixed there we should close it as well for RHV-M.
</pre>
</div>
<div id="c9" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1992149#c9">Comment 9</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Martin Pitt</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-08-27 14:35:39 UTC </span>
</div>
<pre class="bz_comment_text">Sandro: No, it does not affect RHEL 7, the certificate auth functionality is RHEL 8/9 only (introduced in version 208, and RHEL 7 has Cockpit 195).
</pre>
</div>
<div id="c11" class="bz_comment
">
<div class="bz_comment_head">
<span class="bz_comment_number">
<a href="show_bug.cgi?id=1992149#c11">Comment 11</a>
</span>
<span class="bz_comment_user">
<span class="vcard redhat_user"><span class="fn">Martin Pitt</span>
</span>
</span>
<span class="bz_comment_user_images">
</span>
<span class="bz_comment_time"> 2021-12-09 15:08:35 UTC </span>
</div>
<pre class="bz_comment_text">With sssd 2.6.1 now being available in at least Fedora 35 and Debian testing, I worked on using this new API in Cockpit: <a href="https://github.com/cockpit-project/cockpit/pull/16703">https://github.com/cockpit-project/cockpit/pull/16703</a>
This includes integration tests and documentation, and falling back to the pre-2.6.1 API (where only full binary matching is supported). Review much appreciated!
Thanks again to the sssd team, in particular Iker Pedrosa, for adding the validation API!
As this breaks existing systems on upgrades, I add Lucie to CC: you now *have* to configure a CA in sssd for cert logins to work, and unfortunately `realm join` does not do this automatically for IPA. The upstream release note (in the PR, going to be in the release blog) and the upstream docs (once the PR lands) have the details.
</pre>
</div>
<script>
$(document).ready(function() {
var mysel = document.getElementsByClassName('flag_type-415')[0];
var relnotes = document.getElementById('cf_release_notes');
if (mysel && relnotes && relnotes.value != '' && relnotes.value != cf_doc_type_text[document.getElementById('cf_doc_type').value] && mysel.options[mysel.selectedIndex].value != '+') document.getElementById('cf_doc_warn')
.innerHTML = '<div class="warning "><b>Warning: Doc Text is not yet verified as correct</b></div>';
});
</script>
</td>
<td>
</td>
</tr>
</tbody>
</table>
</div>
<hr>
<div id="add_comment" class="bz_section_additional_comments">
<table>
<tbody>
<tr>
<td>
<fieldset>
<legend>Note</legend> You need to <a href="show_bug.cgi?id=1992149&GoAheadAndLogIn=1">log in</a> before you can comment on or make changes to this bug.
</fieldset>
</td>
</tr>
</tbody>
</table>
</div>
</form>GET buglist.cgi
<form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '')
{ alert('Please enter one or more search terms first.');
return false; } return true;">
<input type="hidden" id="no_redirect_bottom" name="no_redirect" value="1">
<script type="text/javascript">
if (history && history.replaceState) {
var no_redirect = document.getElementById("no_redirect_bottom");
no_redirect.value = 1;
}
</script>
<input class="txt" type="text" id="quicksearch_bottom" name="quicksearch" title="Quick Search" value="">
<input class="btn" type="submit" value="Search" id="find_bottom">
</form>Text Content
Login
[x]
* Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
* Forgot Password
Login:
Hide Forgot
* Create an Account
Red Hat Bugzilla – Bug 1992149
*
[?]
*
* New
* * Simple Search
* Advanced Search
* My Links
* Browse
* Requests
* Reports
* Current State
* Search
* Tabular reports
* Graphical reports
* Duplicates
* Other Reports
* User Changes
* Plotly Reports
* Bug Status
* Bug Severity
* Non-Defaults
* | Product Dashboard
* Help
* Page Help!
* Bug Writing Guidelines
* What's new
* Browser Support Policy
* 5.0.4.rh68 Release notes
* FAQ
* Guides index
* User guide
* Web Services
* Contact
* Legal
Note: If your use of the APIs is failing with an error titled 'API access must
use the Authorization header' then you need to read the API Authentication
changes announcement
This site requires JavaScript to be enabled to function correctly, please enable
it.
*
*
*
*
*
*
Bug 1992149 (CVE-2021-3698) - CVE-2021-3698 cockpit: authenticates with revoked
certificates
Summary: CVE-2021-3698 cockpit: authenticates with revoked certificates
Keywords:
Security
Security ×
Status: POST Alias: CVE-2021-3698 Product: Security Response Classification:
Other Component: vulnerability Sub Component:
Version: unspecified Hardware: All OS: Linux Priority: medium Severity: medium
Target Milestone: --- Assignee: Red Hat Product Security QA Contact: Docs
Contact: URL: Whiteboard: Depends On: 1992432 1992620 2005344 1993783 1998513
Blocks: 1988484 1992150 TreeView+ depends on / blocked
Reported: 2021-08-10 16:30 UTC by Guilherme de Almeida Suckevicz Modified:
2022-02-28 14:42 UTC (History) CC List: 19 users (show)
bmontgom dperpeet eparis gkamathe jburrell lmanasko michal.skrivanek mmarusak
mperina mpitt nstielau patrick pvolpe sbonazzo security-response-team sgrubb
sponnaga ssorce stefw
Fixed In Version: cockpit 260 Doc Type: If docs needed, set a value Doc Text:
A flaw was found in Cockpit in the way it handles the certificate verification
performed by the System Security Services Daemon (SSSD). This flaw allows client
certificates to authenticate successfully, regardless of the Certificate
Revocation List (CRL) configuration or the certificate status. The highest
threat from this vulnerability is to confidentiality.
Clone Of: Environment:
Last Closed:
--------------------------------------------------------------------------------
Attachments (Terms of Use) Add an attachment (proposed patch, testcase, etc.)
Links System ID Private Priority Status Summary Last Updated Github
cockpit-project cockpit pull 16703 0 None open session: Validate client
certificates against sssd's trusted CA 2021-12-09 15:08:34 UTC
Description Guilherme de Almeida Suckevicz 2021-08-10 16:30:23 UTC
A flaw was found in Cockpit in the way it handles the certificate verification performed by SSSD and allows client certificates to successfully authenticate regardless of the CRL configuration or the certificate status.
Comment 4 gkamathe 2021-08-17 16:33:02 UTC
(1) This is not currently a supported use case. The documentation [0] warns that cockpit doesn't do any meaningful verification of the certificate (it does reject expired ones, but no CA/CRL). This behaviour is not a secret, so it might be beneficial to make this unembargoed, to have a pointer for other affected users.
(2) Fixing this properly requires adding a validation D-Bus API to sssd [1]. I filed bug 1992432 for tracking this.
[0] https://cockpit-project.org/guide/latest/cert-authentication.html
[1] https://github.com/SSSD/sssd/issues/5224
Comment 7 Sandipan Roy 2021-08-27 12:49:25 UTC
Created cockpit tracking bugs for this issue:
Affects: fedora-all [bug 1998513]
Comment 8 Sandro Bonazzola 2021-08-27 13:15:40 UTC
Is this going to be fixed for RHEL 7? I'm asking because we got a tracker opened on RHV-M 4.3 (bug #1993783 ) which is cross-shipping cockpit from RHEL 7 and if it's not going to be fixed there we should close it as well for RHV-M.
Comment 9 Martin Pitt 2021-08-27 14:35:39 UTC
Sandro: No, it does not affect RHEL 7, the certificate auth functionality is RHEL 8/9 only (introduced in version 208, and RHEL 7 has Cockpit 195).
Comment 11 Martin Pitt 2021-12-09 15:08:35 UTC
With sssd 2.6.1 now being available in at least Fedora 35 and Debian testing, I worked on using this new API in Cockpit: https://github.com/cockpit-project/cockpit/pull/16703
This includes integration tests and documentation, and falling back to the pre-2.6.1 API (where only full binary matching is supported). Review much appreciated!
Thanks again to the sssd team, in particular Iker Pedrosa, for adding the validation API!
As this breaks existing systems on upgrades, I add Lucie to CC: you now *have* to configure a CA in sssd for cert logins to work, and unfortunately `realm join` does not do this automatically for IPA. The upstream release note (in the PR, going to be in the release blog) and the upstream docs (once the PR lands) have the details.
--------------------------------------------------------------------------------
Note You need to log in before you can comment on or make changes to this bug.
--------------------------------------------------------------------------------
*
*
*
*
*
*
* *
[?]
Type a sub-component name