EJBCA 7.3.1.2 Release Notes

This maintenance release resolves several vulnerabilities found in EJBCA during penetration testing, and we recommend that all customers upgrade their installations if they are affected and cannot otherwise mitigate. 

Summary of Vulnerabilities

The issues are submitted publicly as Common Vulnerabilities and Exposures (CVEs) and the CVE identifiers are referenced in the table below.

NameDescriptionWho is affectedPossible Mitigation

Unchecked Certificate Uploads in Validator

CVE-2020-11629

The External Command Certificate Validator has been found to save uploaded test certificates to the server. An attacker with administrative access who has gained access to the CA UI could exploit this to upload malicious scripts to the server.Users of the External Command Certificate Validator.

Authentication Bypass Vulnerability

CVE-2020-11631

An error state can be generated in the CA UI by a malicious user, which in turn allows exploit of other bugs, which can lead to privilege escalation and remote code execution.

If the CA UI is not accessible on a port that does not require client certificate authentication (port 8442 or 8080 on a standard EJBCA installation), the vulnerability can not be exploited.

Users of the PrimeKey PKI Appliance are not affected as the PKI Appliance by default implements firewall rules which negate the issue.

Use a firewall to ensure that the CA UI URI can only be accessible using client certificate authentication.

XSS and CSRF Issues

CVE-2020-11627

Two XSS issues and a CSRF issue found during testing. 

As is common with XSS and CSRF vulnerabilities generally, risk is associated with a malicious administrator or an administrator following links to pages within EJBCA sent from a malicious source, both of which are unlikely within a secure environment.

The CSRF issue could by a talented attacker, with knowledge about the CA system and network access to it, be used for privilege escalation.

All EJBCA installations.

Protocol Access Control Bypass

CVE-2020-11628

EJBCA allows the restriction of available remote protocols (CMP, ACME, REST, etc) through the system configuration. A vulnerability where these restrictions can be bypassed by modifying the URI string from a client has been found.

EJBCA's internal access control restrictions are still in place, and each respective protocol must be configured to allow for enrollment.

You may be affected if your PKI is set up for enrollment over a 3rd party protocol, but have for whatever reason disabled that protocol in the System Configuration.To ensure complete mitigation of this vulnerability we recommend that you block access paths to unwanted protocols (e.g ejbca/publicweb/cmp) in your firewall.

Deserialization Bug

CVE-2020-11630

Several vulnerable sections of code were found, where the verification of serialized objects sent between nodes connected via the Peers protocol still allows unsecure objects to be deserialized.

You may be affected if you have connected your VAs or RAs via the Peers protocol.

For an exploit to be successful:

  • An attacker needs to have compromised the internal PKI in order to issue fraudulent TLS keys.
  • An attacker must have performed a complete takeover of one of the nodes in order to send a compromised payload.

Upgrade Information

Review the EJBCA 7.3.1.2 Upgrade Notes for important information about this release. 

For general upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.3.1.2 is included in the PKI Appliance version 3.4.5 and EJBCA Cloud version 2.0.

Change Log: Resolved Issues

The following lists issues resolved in EJBCA 7.3.1.2.

Issues Resolved in 7.3.1.2

Released March 2020

Improvements

ECA-8775 - Improve output format in CertDistServlet listcerts command

ECA-8783 - Add test case for va publisher data source (Selenium)

ECA-8793 - Add new HTTP security headers

ECA-8809 - Fix formating in CertStoreServletTest and CertFetchAndVerify

Tasks

ECA-8790 - Perform upgrade testing

ECA-8807 - Change the copyright footer to 2020

Bug Fixes

ECA-7060 - Handle invalid input on 'Approval Profiles' page

ECA-7153 - Security issue

ECA-8719 - 'Make New Request' on 'RA Web' on 'Clean Installation' results in StackOverflowError

ECA-8757 - CaImportCACommand doesn't activate KeyRecoveryCAServiceInfo

ECA-8772 - Minor security issue

ECA-8773 - Security issue

ECA-8776 - Backport - ClassCastException on Wildfly 14 when saving a certificate profile with "Subject DN Subset" enabled

ECA-8777 - Security issue

ECA-8782 - ServiceSession logs incorrect administrator when editing a service

ECA-8791 - Cannot search by year 2020 in Admin Web

ECA-8802 - Acme failure

ECA-8811 - CVCA link certificate has wrong validity

ECA-8819 - Cannot use 7.x RA with 6.15 CA

ECA-8823 - Bad default CRL parameters when importing CA

ECA-8858 - Test failure in ConfigdumpCertificationAuthorityUnitTest

ECA-8874 - EcaQa77_EndEntitySearch is sensitive to the environment

ECA-8875 - Backport Domain Blacklist test reliability fixes

ECA-8880 - UpdatePublicKeyBlacklistCommandTest contains empty folder in resources, which fails with GIT

ECA-8883 - RA fails into an endless loop on load when missing /ra_master/invoke_api access

ECA-8890 - Certificate Validator ignores profile settings