Описание
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
Отчет
The issue is marked as moderate because it involves a vulnerability in GnuTLS, specifically affecting Cockpit, which utilizes GnuTLS. The vulnerability arises when a certificate chain with distributed trust is rejected during validation using cockpit-certificate-ensure. Although this flaw could potentially be exploited by an unauthenticated remote attacker to trigger a denial of service attack on the client, it's important to note that specific server configurations are required for client authentication requests. This is a bug in the GnuTLS library, Cockpit does not copy this code, but uses the shared lib at runtime. Hence, patching gnutls is necessary and sufficient to address this, hance Cockpit is not affected by this issue.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | gnutls | Out of support scope | ||
| Red Hat Enterprise Linux 7 | cockpit | Out of support scope | ||
| Red Hat Enterprise Linux 7 | gnutls | Out of support scope | ||
| Red Hat Enterprise Linux 8 | cockpit | Not affected | ||
| Red Hat Enterprise Linux 8 | gnutls | Not affected | ||
| Red Hat Enterprise Linux 9 | cockpit | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | cockpit | Not affected | ||
| Red Hat Enterprise Linux 9 | gnutls | Fixed | RHSA-2024:0533 | 29.01.2024 |
| Red Hat Enterprise Linux 9 | gnutls | Fixed | RHSA-2024:0533 | 29.01.2024 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | gnutls | Fixed | RHSA-2024:1082 | 05.03.2024 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL ...
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
7.5 High
CVSS3