This maintenance release resolves several vulnerabilities found in EJBCA during penetration testing, and we recommend that all customers upgrade their installations if they are affected and cannot otherwise mitigate.
Summary of Vulnerabilities
The issues are submitted publicly as Common Vulnerabilities and Exposures (CVEs) and the CVE identifiers are referenced in the table below.
|Name||Description||Who is affected||Possible Mitigation|
Unchecked Certificate Uploads in Validator
|The External Command Certificate Validator has been found to save uploaded test certificates to the server. An attacker with administrative access who has gained access to the CA UI could exploit this to upload malicious scripts to the server.||Users of the External Command Certificate Validator.|
Authentication Bypass Vulnerability
|An error state can be generated in the CA UI by a malicious user, which in turn allows exploit of other bugs, which can lead to privilege escalation and remote code execution.|
If the CA UI is not accessible on a port that does not require client certificate authentication (port 8442 or 8080 on a standard EJBCA installation), the vulnerability can not be exploited.
Users of the PrimeKey PKI Appliance are not affected as the PKI Appliance by default implements firewall rules which negate the issue.
|Use a firewall to ensure that the CA UI URI can only be accessible using client certificate authentication.|
XSS and CSRF Issues
Two XSS issues and a CSRF issue found during testing.
As is common with XSS and CSRF vulnerabilities generally, risk is associated with a malicious administrator or an administrator following links to pages within EJBCA sent from a malicious source, both of which are unlikely within a secure environment.
The CSRF issue could by a talented attacker, with knowledge about the CA system and network access to it, be used for privilege escalation.
|All EJBCA installations.|
Protocol Access Control Bypass
EJBCA allows the restriction of available remote protocols (CMP, ACME, REST, etc) through the system configuration. A vulnerability where these restrictions can be bypassed by modifying the URI string from a client has been found.
EJBCA's internal access control restrictions are still in place, and each respective protocol must be configured to allow for enrollment.
|You may be affected if your PKI is set up for enrollment over a 3rd party protocol, but have for whatever reason disabled that protocol in the System Configuration.||To ensure complete mitigation of this vulnerability we recommend that you block access paths to unwanted protocols (e.g ejbca/publicweb/cmp) in your firewall.|
|Several vulnerable sections of code were found, where the verification of serialized objects sent between nodes connected via the Peers protocol still allows unsecure objects to be deserialized.|
You may be affected if you have connected your VAs or RAs via the Peers protocol.
For an exploit to be successful:
Review the EJBCA 18.104.22.168 Upgrade Notes for important information about this release.
For general upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
Change Log: Resolved Issues
The following lists issues resolved in EJBCA 22.214.171.124.
ECA-8775 - Improve output format in CertDistServlet listcerts command
ECA-8783 - Add test case for va publisher data source (Selenium)
ECA-8793 - Add new HTTP security headers
ECA-8809 - Fix formating in CertStoreServletTest and CertFetchAndVerify
ECA-8790 - Perform upgrade testing
ECA-8807 - Change the copyright footer to 2020
ECA-7060 - Handle invalid input on 'Approval Profiles' page
ECA-7153 - Security issue
ECA-8719 - 'Make New Request' on 'RA Web' on 'Clean Installation' results in StackOverflowError
ECA-8757 - CaImportCACommand doesn't activate KeyRecoveryCAServiceInfo
ECA-8772 - Minor security issue
ECA-8773 - Security issue
ECA-8776 - Backport - ClassCastException on Wildfly 14 when saving a certificate profile with "Subject DN Subset" enabled
ECA-8777 - Security issue
ECA-8782 - ServiceSession logs incorrect administrator when editing a service
ECA-8791 - Cannot search by year 2020 in Admin Web
ECA-8802 - Acme failure
ECA-8811 - CVCA link certificate has wrong validity
ECA-8819 - Cannot use 7.x RA with 6.15 CA
ECA-8823 - Bad default CRL parameters when importing CA
ECA-8858 - Test failure in ConfigdumpCertificationAuthorityUnitTest
ECA-8874 - EcaQa77_EndEntitySearch is sensitive to the environment
ECA-8875 - Backport Domain Blacklist test reliability fixes
ECA-8880 - UpdatePublicKeyBlacklistCommandTest contains empty folder in resources, which fails with GIT
ECA-8883 - RA fails into an endless loop on load when missing /ra_master/invoke_api access
ECA-8890 - Certificate Validator ignores profile settings