Bugzilla – Bug 1189894
VUL-0: CVE-2021-3698: cockpit: authenticates with revoked certificates
Last modified: 2022-10-28 15:26:43 UTC
A flaw was found in Cockpit in the way it handles the certificate verification performed by SSSD and allows client certificates to successfully authenticate regardless of the CRL configuration or the certificate status. References: https://bugzilla.redhat.com/show_bug.cgi?id=1992149 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3698
SUSE:SLE-15-SP2:Update:Products:MicroOS:Update/cockpit (v195.12) is not affected since the certificate auth functionality was introduced in version 208. openSUSE:Factory/cockpit (v250) should be affected but there is currently no patch available. A discussion is going on with the sssd [0] project in order to have a new D-Bus API that would expose sssd's cert validation and make Cockpit use it. [0] https://github.com/SSSD/sssd/issues/5224
Looks like this was merged upstream into SSSD https://github.com/SSSD/sssd/pull/5852 and https://github.com/ikerexxe/sssd/commit/c6d901d65e38a792c4015efa70e3b925a922b406 https://github.com/SSSD/sssd/issues/5911 which is in SSSD v2.6.2 and then the fix was merged upstream in cockpit in, https://github.com/cockpit-project/cockpit/pull/16703 which is part of Cockpit 260.x version Factory version is 276.1, which includes the fix. But we have 251.3 in SLE Micro 15.2 and 15.3 But the SSSD we have in SLE is too old to have this API, even SP4 has 2.5.2.