COMMUNITY EDITION JUNE 2022
We are happy to announce the newest release of our open-source PKI software EJBCA Community Edition with version 188.8.131.52 and thank each and every EJBCA Contributor for your work in getting us here.
These release notes cover new EJBCA Community features and improvements implemented between EJBCA Community 7.4.3 and EJBCA Community 184.108.40.206.
This latest community release includes several new features, including Enrollment REST API and External Account Bindings. The release also includes bug fixes resolved relating to EJBCA Community and contains several security enhancements.
EJBCA Enrollment REST API
EJBCA Community 220.127.116.11 introduces more flexible integration options with the support of a subset of the EJBCA REST API. The EJBCA Enrollment REST API allows you to integrate with EJBCA Community from client applications utilizing modern technologies to enroll and revoke certificates using REST calls. This also enables a basic level of automation of processes for issuance and revocation.
To learn more about how to integrate EJBCA Community using the REST API and visualize and interact with the API resources using Swagger, see EJBCA REST Interface.
External Account Bindings
Inspired by the concept of External Account Bindings in ACME (supported in EJBCA Enterprise as of version 7.5), we have extended the concept throughout EJBCA to provide a quick and easy way to link any certificate enrolled via the RA or REST with an external identifier, to affiliate certificates to identities.
Subsets of allowed values can be pre-configured in the certificate profiles to ensure that only valid identities can be submitted, as well as providing content assistance in the RA. For more information, see External Account Bindings.
Domain Allow List Validator
By popular request, we've added a companion Domain Allow List Validator to the existing Domain Block List Validator. Performing the exact opposite role, this new validator restricts dnsName field domains to whatever subset is defined. For more information, see Certificate Field Validators.
URIs Added as Name Constraints
In addition to constraints on DNS Name and IP Address, we've added name constraints for URIs. For more information on name constraints, see CA Fields.
As has been stated before, EJBCA was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that EJBCA handles logging through JBoss EAP/Wildfly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that many of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about EJBCA being vulnerable.
Bouncy Castle Upgrade
We upgraded Bouncy Castle to version 1.71.
RA Web Enhancements
We have added additional features to the RA Web in an effort to allow all RA operations to be managed from the RA Web. RA Web enhancements have made the Public Web increasingly redundant and Public Web is therefore deprecated as of EJBCA 7.9.
Public Web is still available in EJBCA 7.9.0 but will no longer be supported as of the next major version of EJBCA. We recommend migrating your workflows to the RA Web in preparation for the future removal of the Public Web. Certain use cases might not be fully replaceable by the RA Web yet but we will be putting the last pieces together to support them in upcoming releases. Endpoints for CA/CRL distribution located under the Public Web URL will remain available.
Sunset of JDK8 Support
With JDK8 seeing the end of its official support window from Oracle, we will towards the end of this year sunset support for JDK8 ourselves to be able to take advantage of the many features in JDK11 and later. We want to recommend all customers to upgrade their JDKs to JDK11. With the coming release of JDK17 as the next LTS release from Oracle, we will be implementing full support towards the autumn.
CMP over TCP no longer Supported
CMP over TCP is no longer supported by EJBCA or by the legacy CMP Proxy. Support for CMP over HTTP is unaffected.
SaferDailyRollingFileAppender no longer Supported
The SaferDailyRollingFileAppender (enabled by
settingocsp.log-safer=true in the ocsp.properties configuration file) has been deprecated and removed due to incompatibilities with the Log4J upgrade. Enabling the setting caused a transaction rollback in case the server logs could not be written to and was a corner case for certain VAs with legal requirements to register all OCSP traffic to log. This setting is no longer supported by EJBCA.
Sunset of ejbca-setup.sh Script
We are sunsetting the ejbca-setup.sh quick installation script and associated documentation to decrease the maintenance load and consolidate the installation paths. If you're currently relying on this script, we recommend you migrate your workflows.
This release comes with fixes for a few minor security issues, as well as additional security hardening.
General Purpose Custom Publisher able to Run Despite External Scripts Being Disabled
The General Purpose Custom Publisher, which is normally run to invoke a local script upon a publishing operation, was still able to run if the System Configuration setting Enable External Script Access was disabled. With this setting disabled it's not possible to create new such publishers, but existing publishers would continue to run.
We rate the issue as having a severity level low, as creating and changing a publisher would still require super admin access to EJBCA, and modifying any existing scripts would require operating system access. This issue has been reported in CVE-2021-40089.
Enrollment Secrets Logged in Audit Log
When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log.
We rate the issue as having a severity level low, as enrollment secrets are already by definition known among system administrators, and only trusted users should have audit log access. This issue has been reported in CVE-2021-40087.
Enrollment Secrets Reflected in UI
As part of the configuration of the aliases for SCEP and CMP, the enrollment secret was reflected on the page. While hidden from direct view, checking the page source would reveal the secret.
We rate the issue as having a severity level low, as anybody with access to the configuration page likely has access to the secret as well, and is authorized to change the secret. This issue has been reported in CVE-2021-40086.
CMP Revocation Ignores Multi Tenancy Constraints
CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.
We rate the issue as having a severity level medium, while not as serious as ignoring multi tenancy constraints for enrollment, this allowed tenants to perform DoS attacks on each other. The attacking party still needed to be a known and trusted entity. This issue has been reported in CVE-2021-40088.
Downloads and Resources
As of this release, EJBCA Community releases will follow the release schedule for the Enterprise Edition, including all major and feature releases.
To download the latest version of EJBCA Community, you can choose from several options:
- EJBCA Community is available for download from GitHub.
- EJBCA Community Container is available for download from Docker Hub.
- EJBCA Community is available for download from SourceForge.
Want to learn more about our open-source software? Get in touch over at EJBCA Discussions on GitHub, a collective space where you can share feedback and contribute ideas to future releases. We would love to hear from you.
In the Keyfactor Community, developers, engineers, and security teams can get hands-on with Keyfactor's open-source PKI and signing software, share ideas with peers, and learn from industry experts. Find out more and sign up for the Keyfactor Community Newsletter at Keyfactor Community.