In version 6.4.0, the directory path for the UNIX domain socket was changed to use a randomly generated path each time the application is started. This prevents a single user from being able to prevent all actions from being taken via the keylime command. IMPORTANT: This is a security update. Your installation may be affected if you have enabled the Revocation Notifier on a key server that uses a UNIX domain socket path that is accessible by unprivileged users. In order to prevent this update from breaking your installation, please follow the instructions in the Keylime 6.4.0 release announcement to disable Revocation Notifier. In addition to this security change, the Revocation Notifier was also changed in Keylime 6.4.0 to not revoke certificates that have already been revoked once.
What is KEylime?
Keylime is a key lime client that is used to transfer keys securely. KEylime provides the ability to perform revocation and certificate management on remote systems running OpenSSL. Keylime can also be configured to act as a proxy (or reverse proxy) for applications that use unprivileged ports to communicate with a remote system.
What is the Keylime Certificate Revocation Notifier?
The Keylime Certificate Revocation Notifier is a key Lime Manager feature that notifies the administrator of a server if any certificates are revoked. This can be useful in ensuring that you don't revoke valid and trusted certificates when they're accidentally issued or when they expire. You will receive an email notification and an email to your sent mail box with the Subject: "Your certificate has expired" or "Your certificate has been revoked."
The Revocation Notifier notifies administrators if their certificates have been revoked by another server. It's important to note that this is only possible via UNIX domain sockets, which are privileged ports and should only be used for privileged communications between two servers on the same machine, as opposed to unprivileged ports which can be accessed remotely by clients.
What does this mean for me?
If you are using Keylime in a production environment and have Revocation Notifier enabled, the update will not prevent your installation from being broken. In order to prevent this update from breaking your installation please follow the instructions in the Keylime 6.4.0 release announcement to disable Revocation Notifier.
Keylime 6.3.1
The latest update, Keylime 6.3.1, includes the following security changes:
* A security issue was fixed in which the directory path for UNIX domain sockets was changed to use a randomly generated path each time the application is started. This prevents a single user from being able to prevent all actions from being taken via the keylime command.
* In order to prevent this update from breaking your installation, please follow the instructions in the Keylime 6.4.0 release announcement to disable Revocation Notifier.
* The Revocation Notifier was also changed in Keylime 6.4.0 to not revoke certificates that have already been revoked once.
What is a key server?
A key server is a service that provides cryptographic keys for use with applications. When a user creates an account on your website, they will be prompted to provide their public key. This key can then be stored on the key server by the application. The application will periodically check with the key server to see if the certificate associated with that public key has been revoked, and act accordingly.
Timeline
Published on: 09/21/2022 19:15:00 UTC
Last modified on: 09/22/2022 16:21:00 UTC