EJBCA 7.4.3.2 Release Notes

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.4.3.2.

The primary focus of this release has been some critical bugs that were discovered after the release of 7.4.3, as well as upgrading some underlying libraries which had CVEs reported post release.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

Vulnerability in underlying Apache Batik Library

CVE-2019-17566 has been reported for Apache Batik, which constitutes an exploitable vulnerability for EJBCA. EJBCA 7.4.3.2 includes an upgrade of this library to version 1.13, and as this constitutes a vulnerability in EJBCA we will be submitting our own CVE two weeks after the release of this version.

Upgrade of underlying XStream Library

CVE-2020-26217 has been reported for Xstream, so it has been upgraded as a result. The vulnerability in this library does not constitute a security risk for EJBCA.

Invalid storage of SIM value (RFC4683) in the Subject Alternative Name of a Certificate

As reported to support, EJBCA did not store the SIM Subject Alternative Name value correctly.

AWS KMS Request Throttling when reading Public Keys results in Unusable Keys

It was found that due to request throttling, AWS KMS crypto tokens with more than five keys were left with some keys unusable.

Signing with RSASSA-PSS not working in OpenJDK 8u272/11.0.6 without Java patch

It has been reported that a backport to OpenJDK 8u272 broke handling of RSASSA-PSS. To avoid issues we have built around this bug in EJBCA. This bug does not affect Appliance customers, as the PrimeKey Appliance runs a patched version of OpenJDK.

Upgrade Information

As a patch release, the upgrade procedure is the same as for EJBCA 7.4.3. See the EJBCA 7.4.3 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.4.3.2 is available on EJBCA Hardware Appliance 3.5.6 and EJBCA Cloud 2.6 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.4.3.2, refer to our JIRA Issue Tracker.

Issues Resolved in 7.4.3.2

Released December 2020

Tasks

ECA-9694 - Security issue

Improvements

ECA-9669 - Workaround for MSSQL Hibernate driver issue that leads to duplicates in CRL
ECA-9679 - Signing with RSASSA-PSS not working in OpenJDK 8u272/11.0.6 without Java patch
ECA-9693 - Security Issue

Bug Fixes

ECA-9557 - SSH Certificate Signer not working with p11
ECA-9705 - Invalid storage of SIM value (RFC4683) in the Subject Alternative Name of a certificate
ECA-9711 - AWS KMS request throttling when reading public keys results in unusable keys