Thông tin sản phẩm

EJBCA Release Notes

EJBCA Release Notes

This maintenance release resolves several vulnerabilities found in EJBCA during penetration testing, and we recommend that all customers upgrade their installations if they are affected and cannot otherwise mitigate. 

Bạn đang xem: EJBCA Release Notes

Summary of Vulnerabilities

The issues are submitted publicly as Common Vulnerabilities and Exposures (CVEs) and the CVE identifiers are referenced in the table below.

Name Description Who is affected Possible Mitigation

Unchecked Certificate Uploads in Validator


The External Command Certificate Validator has been found to save uploaded test certificates to the server. An attacker with administrative access who has gained access to the CA UI could exploit this to upload malicious scripts to the server. Users of the External Command Certificate Validator.

Authentication Bypass Vulnerability


An error state can be generated in the CA UI by a malicious user, which in turn allows exploit of other bugs, which can lead to privilege escalation and remote code execution.

If the CA UI is not accessible on a port that does not require client certificate authentication (port 8442 or 8080 on a standard EJBCA installation), the vulnerability can not be exploited.

Users of the PrimeKey PKI Appliance are not affected as the PKI Appliance by default implements firewall rules which negate the issue.

Use a firewall to ensure that the CA UI URI can only be accessible using client certificate authentication.

XSS and CSRF Issues


Two XSS issues and a CSRF issue found during testing. 

As is common with XSS and CSRF vulnerabilities generally, risk is associated with a malicious administrator or an administrator following links to pages within EJBCA sent from a malicious source, both of which are unlikely within a secure environment.

The CSRF issue could by a talented attacker, with knowledge about the CA system and network access to it, be used for privilege escalation.

All EJBCA installations.

Protocol Access Control Bypass


EJBCA allows the restriction of available remote protocols (CMP, ACME, REST, etc) through the system configuration. A vulnerability where these restrictions can be bypassed by modifying the URI string from a client has been found.

EJBCA’s internal access control restrictions are still in place, and each respective protocol must be configured to allow for enrollment.

You may be affected if your PKI is set up for enrollment over a 3rd party protocol, but have for whatever reason disabled that protocol in the System Configuration. To ensure complete mitigation of this vulnerability we recommend that you block access paths to unwanted protocols (e.g ejbca/publicweb/cmp) in your firewall.

Deserialization Bug


Several vulnerable sections of code were found, where the verification of serialized objects sent between nodes connected via the Peers protocol still allows unsecure objects to be deserialized.

You may be affected if you have connected your VAs or RAs via the Peers protocol.

For an exploit to be successful:

  • An attacker needs to have compromised the internal PKI in order to issue fraudulent TLS keys.
  • An attacker must have performed a complete takeover of one of the nodes in order to send a compromised payload.

Upgrade Information

As a patch release, the upgrade steps to EJBCA are the same as to EJBCA 6.15, see the 

EJBCA 6.15 Upgrade Notes


For general upgrade instructions and information on upgrade paths, see

Upgrading EJBCA


Behavior Changes

When listing role members in the CA UI (Roles and Access Rules>Members), there was previously a link to view certificates, if the role member had a match value of X509: Certificate serial number. This link has now been removed from EJBCA 6.15.x.

Change Log: Resolved Issues

The following lists issues resolved in EJBCA

Issues Resolved in

Released March 2020



– Improve output format in CertDistServlet listcerts command


– Add new HTTP security headers


– Fix formating in CertStoreServletTest and CertFetchAndVerify



– Perform upgrade testing


– Backport external dependency update


– Change the copyright footer to 2020

Bug Fixes


– Security issue


– Security issue


– ServiceSession logs incorrect administrator when editing a service


– Cannot search by year 2020 in Admin Web


– Acme failure


– Bad default CRL parameters when importing CA


– UpdatePublicKeyBlacklistCommandTest contains empty folder in resources, which fails with GIT


– RA fails into an endless loop on load when missing /ra_master/invoke_api access

Chuyên mục: Thông tin sản phẩm

Related Articles

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *

Back to top button