Bugzilla – Bug 1189894
VUL-0: CVE-2021-3698: cockpit: authenticates with revoked certificates
Last modified: 2022-10-28 15:26:43 UTC
A flaw was found in Cockpit in the way it handles the certificate verification performed by SSSD and allows client certificates to successfully authenticate regardless of the CRL configuration or the certificate status.
SUSE:SLE-15-SP2:Update:Products:MicroOS:Update/cockpit (v195.12) is not affected since the certificate auth functionality was introduced in version 208.
openSUSE:Factory/cockpit (v250) should be affected but there is currently no patch available.
A discussion is going on with the sssd  project in order to have a new D-Bus API that would expose sssd's cert validation and make Cockpit use it.
Looks like this was merged upstream into SSSD
which is in SSSD v2.6.2
and then the fix was merged upstream in cockpit in,
which is part of Cockpit 260.x version
Factory version is 276.1, which includes the fix. But we have 251.3 in SLE Micro 15.2 and 15.3
But the SSSD we have in SLE is too old to have this API, even SP4 has 2.5.2.