Описание
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from GLOBALTRUST. Certifi 2024.7.04 removes root certificates from GLOBALTRUST from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
A flaw was found in Certifi, a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certain versions of Certifi recognized root certificates from 'GLOBALTRUST'. However, pursuant to an investigation that identified "long-running and unresolved compliance issues," GLOBALTRUST's root certificates are now removed from the root store.
Отчет
Red Hat ships an affected version of python-certifi; however, the product includes a separate CA bundle installed from RHEL with a custom product-based patch. Hence it is not using the certificates provided upstream and not affected by the flaw. Red Hat Product Security team does not foresee any impact on the confidentiality, integrity or availability of system for this product due to this flaw.
Меры по смягчению последствий
This issue can be mitigated by adding the root CAs in question to /etc/pki/ca-trust/source/blacklist on RHEL 8 or /etc/pki/ca-trust/source/blocklist on RHEL 9 and running update-ca-trust. See also https://www.redhat.com/sysadmin/configure-ca-trust-list.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | python3x-certifi | Not affected | ||
| Red Hat Ansible Automation Platform 2 | python-certifi | Not affected | ||
| Red Hat Ceph Storage 6 | python-certifi | Not affected | ||
| Red Hat Ceph Storage 7 | python-certifi | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | python-certifi | Not affected | ||
| Red Hat Openshift Container Storage 4 | python-certifi | Not affected | ||
| Red Hat OpenStack Platform 16.1 | python-certifi | Not affected | ||
| Red Hat OpenStack Platform 18.0 | python-certifi | Not affected | ||
| Red Hat Satellite 6 | python-certifi | Not affected | ||
| Red Hat Update Infrastructure 4 for Cloud Providers | python-certifi | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
Certifi is a curated collection of Root Certificates for validating th ...
EPSS
3.7 Low
CVSS3