SignServer 5.8.1 Release Notes

DECEMBER 2021

The PrimeKey SignServer team is pleased to announce the release of SignServer 5.8.1.

This release includes a new feature where signature requests can be signed by a remote client allowing a new end-to-end authorization mechanism for deployment scenarios with proxies or similar between the client and the server. The release also addresses two security issues and customers are advised to upgrade to this version as soon as possible.

Deployment options include SignServer Hardware Appliance and SignServer Cloud.

Highlights

Signed Signature Requests

SignServer 5.8.1 introduces support for Signed Signature Requests. This feature extends the request authorization capabilities of SignServer beyond client certificate and JSON Web Token (JWT) authorization. In deployment scenarios where there are mutual TLS (mTLS) hops between the client and SignServer it may not be feasible to use an mTLS connection for the closest network element to authorize the signature request. When the Signed Signature Request feature is used, a signature is added as metadata to the request by the client. Adding the signature to the request can now be done using the SignServer SignClient or by following the request format specification when generating the request from a client using the SignServer Web Services API. For more information, see Signed Request Authorizer.

Security Notice

Third-party Apache Santuario Library Upgrade (CVE-2021-40690)

Versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

SignServer Enterprise incorporates the Apache Santuario - XML Security for Java as a third-party library and may be affected if configured to provide XML or XAdES validators.

As of SignServer Enterprise 5.8.1, the Apache Santuario - XML Security for Java library is updated to version 2.1.7, which includes a fix for CVE-2021-40690. After upgrading to SignServer Enterprise 5.8.1, your installation is no longer affected by this security issue.

Severity

• Medium – There is no known exposure if XML or XAdES validators are not configured in SignServer. In addition, an attacker would need to be authorized to use configured workers if any. 

Cross-site Scripting Issue in Admin Web

During our testing with a new combination of test data and request sequence in the SignServer Admin Web interface, a cross-site scripting issue was found. By setting up a new worker where JavaScript code is used in the worker name followed by a Generate CSR request, the script in the worker name will be executed in the generate CSR step. This issue has been fixed in SignServer 5.8.1 and similar issues in other parts of Admin Web were also fixed. Two weeks after the release of SignServer 5.8.1 this issue will be reported as a CVE. 

Severity

• Low – Only an authorized SignServer administrator could perform an attack. Any update of worker names configured in SignServer will be logged in the audit log.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

SignServer 5.8.1 is included in SignServer Hardware Appliance 3.9.3 and SignServer Cloud 1.10.1.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.8.1, refer to our JIRA Issue Tracker.

Issues Resolved in 5.8.1