Alexander Scheel

Name of the Vulnerable Software and Affected Versions: pki-core (affected versions not specified) Description: A flaw was found in pki-core, allowing an attacker who has successfully compromised a key to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0 **Description** A flaw was found in the "Leaf and Chain" OCSP policy implementation where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle. **Recommendations** For JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, consider disabling the "Leaf and Chain" OCSP policy until a patch is available to prevent implicit trust of the root certificate. Restrict access to applications using this policy to minimize the risk of exploitation. Avoid using the affected CryptoManager versions in sensitive environments until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.