A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
Weakness
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gnutls | Gnu | 3.7.0 (including) | 3.8.3 (excluding) |
| Red Hat Enterprise Linux 9 | RedHat | gnutls-0:3.7.6-23.el9_3.3 | * |
| Red Hat Enterprise Linux 9 | RedHat | gnutls-0:3.7.6-23.el9_3.3 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | gnutls-0:3.7.6-21.el9_2.2 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/cephcsi-rhel9:v4.15.0-37 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/mcg-core-rhel9:v4.15.0-68 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/mcg-operator-bundle:v4.15.0-158 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/mcg-rhel9-operator:v4.15.0-39 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/ocs-client-console-rhel9:v4.15.0-58 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/ocs-client-operator-bundle:v4.15.0-158 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/ocs-client-rhel9-operator:v4.15.0-13 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/ocs-metrics-exporter-rhel9:v4.15.0-81 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/ocs-operator-bundle:v4.15.0-158 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/ocs-rhel9-operator:v4.15.0-79 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-cli-rhel9:v4.15.0-22 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.15.0-57 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-cosi-sidecar-rhel9:v4.15.0-6 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-csi-addons-operator-bundle:v4.15.0-158 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-csi-addons-rhel9-operator:v4.15.0-15 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-csi-addons-sidecar-rhel9:v4.15.0-15 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-multicluster-console-rhel9:v4.15.0-54 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-multicluster-operator-bundle:v4.15.0-158 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-multicluster-rhel9-operator:v4.15.0-10 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-must-gather-rhel9:v4.15.0-26 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-operator-bundle:v4.15.0-158 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odf-rhel9-operator:v4.15.0-19 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odr-cluster-operator-bundle:v4.15.0-158 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odr-hub-operator-bundle:v4.15.0-158 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/odr-rhel9-operator:v4.15.0-21 | * |
| RHODF-4.15-RHEL-9 | RedHat | odf4/rook-ceph-rhel9-operator:v4.15.0-103 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/cluster-logging-operator-bundle:v5.8.6-22 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/cluster-logging-rhel9-operator:v5.8.6-11 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/elasticsearch6-rhel9:v6.8.1-407 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/elasticsearch-operator-bundle:v5.8.6-19 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/elasticsearch-proxy-rhel9:v1.0.0-479 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/elasticsearch-rhel9-operator:v5.8.6-7 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/eventrouter-rhel9:v0.4.0-247 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/fluentd-rhel9:v5.8.6-5 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-227 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/logging-curator5-rhel9:v5.8.1-470 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/logging-loki-rhel9:v2.9.6-14 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/logging-view-plugin-rhel9:v5.8.6-2 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/loki-operator-bundle:v5.8.6-24 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/loki-rhel9-operator:v5.8.6-10 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/lokistack-gateway-rhel9:v0.1.0-525 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/opa-openshift-rhel9:v0.1.0-224 | * |
| RHOL-5.8-RHEL-9 | RedHat | openshift-logging/vector-rhel9:v0.28.1-56 | * |
| Gnutls28 | Ubuntu | bionic | * |
| Gnutls28 | Ubuntu | devel | * |
| Gnutls28 | Ubuntu | jammy | * |
| Gnutls28 | Ubuntu | lunar | * |
| Gnutls28 | Ubuntu | mantic | * |
| Gnutls28 | Ubuntu | noble | * |
| Gnutls28 | Ubuntu | trusty | * |
| Gnutls28 | Ubuntu | upstream | * |
| Gnutls28 | Ubuntu | xenial | * |
Related Attack Patterns
References
- https://access.redhat.com/errata/RHSA-2024:0533
- https://access.redhat.com/errata/RHSA-2024:1082
- https://access.redhat.com/errata/RHSA-2024:1383
- https://access.redhat.com/errata/RHSA-2024:2094
- https://access.redhat.com/security/cve/CVE-2024-0567
- https://bugzilla.redhat.com/show_bug.cgi?id=2258544
- https://gitlab.com/gnutls/gnutls/-/issues/1521
- https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
- http://www.openwall.com/lists/oss-security/2024/01/19/3
- https://access.redhat.com/errata/RHSA-2024:0533
- https://access.redhat.com/errata/RHSA-2024:1082
- https://access.redhat.com/errata/RHSA-2024:1383
- https://access.redhat.com/errata/RHSA-2024:2094
- https://access.redhat.com/security/cve/CVE-2024-0567
- https://bugzilla.redhat.com/show_bug.cgi?id=2258544
- https://gitlab.com/gnutls/gnutls/-/issues/1521
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
- https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
- https://security.netapp.com/advisory/ntap-20240202-0011/