Skip to main content
Skip table of contents

EJBCA Third-party Vulnerability Management Statement

Purpose

To establish digital trust, Keyfactor EJBCA customers require EJBCA supply chain security to ensure security of EJBCA and the customer use cases supported by EJBCA.

Keyfactor is committed to maintaining a secure software supply chain for EJBCA through proactive monitoring and analysis of vulnerabilities in third-party components included in the EJBCA Container Set that may affect the security of EJBCA as a product and of customer deployments of EJBCA Container Set.

As part of every product release, we identify and evaluate vulnerabilities reported for third-party components included in the EJBCA Container Set.

This process ensures that dependencies used within the EJBCA environment are continuously monitored and appropriately mitigated.

Scope

Our third-party vulnerability management process applies to containers and the documented deployment methods distributed as part of the EJBCA Container Set, including:

  • The ejbca-ee, ejbca-ee-ra, and ejbca-ee-va containers

  • Third-party modules, system packages, and runtime libraries

  • Container base images and OS layers

  • The EJBCA Enterprise Edition Helm chart

This process focuses specifically on third-party Common Vulnerabilities and Exposures (CVEs) that could impact the EJBCA Container Set deployed in Kubernetes according to the product documentation.

For security issues identified and resolved in EJBCA’s proprietary product code and submitted as CVEs, refer to Archive of EJBCA security issues.

Process Summary

1. Automated Scanning

Prior to each release, all containers undergo automated scans to identify publicly known CVEs in third-party software.

Scans are performed using industry-recognized tools that rely on trusted vulnerability databases such as the NVD.

2. Review and Analysis

CVEs with a Common Vulnerability Scoring System (CVSS) base score of 4.0 or higher (Medium or above) are analyzed to determine whether they affect EJBCA deployed according to the product documentation for EJBCA Container Set deployment in a way where exploitation of the vulnerability is feasible in real-world customer conditions.

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. For more information, refer to Common Vulnerability Scoring System: Specification Document.

3. Remediation and Mitigation

Potential vulnerabilities related to third-party CVEs may be remediated either a through a documented statement on why a CVE is not exploitable in EJBCA as a product, a documented mitigation action, or availability of an upgraded EJBCA version that does not show the CVE in scans.

4. Customer Communication

Availability of new versions and relevant mitigation information is announced via the Keyfactor Support Portal and associated product documentation updates.

SBOM Availability

A detailed Software Bill of Materials (SBOM) is published for every version of the EJBCA Container Set, see EJBCA Software Bill of Materials (SBOM).

The SBOM lists all third-party components and versions included in the release, providing full transparency into the product’s dependency composition.

Vulnerability Analysis Report (VAR)

For each release, EJBCA produces a CVEs and vulnerability analysis for EJBCA Container Set summarizing:

  • Third-party CVEs identified during pre-release scanning, capturing CVEs publicly reported at least 15 days prior to EJBCA release.

  • EJBCA’s impact assessment and mitigation instructions, where applicable.

  • Any residual risks or pending actions.

The vulnerability analysis report is available to authorized customers within 30 days after each release on request.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close