EJBCA 7.8.0 Release Notes
The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.8.0.1. (EJBCA 7.8.0 was an internal release, not generally available for customers).
This release mainly fixes a slew of compliance issues and bugs that have been reported on the feature set released last spring. Transaction handling for publishers has been improved for rollback scenarios. The release also contains a compliance fix related to the validity of CRLs and OCSP responses.
Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.
Highlights
Transaction Handling for Publishers Improved
An issue was brought to our attention in regards to transaction handling during publishing operations. The previous behavior was that errors that occur in connection with direct publishing cause an immediate rollback of the entire issuance operation. Normally this behavior is desired, but it has come to light that this may cause compliance issues when also writing pre-certificates to a Certificate Transparency log, due to that action being an "intent to issue".
Transaction handling has thus been improved to ensure that a failure in direct publishing does not lead to a complete rollback, but the certificate is still issued and can be managed accordingly.
Compliance
CRL and OCSP Validity Compliance
It was brought to our attention by a customer that EJBCA adds a second of validity to CRLs and OCSP replies to what is intended in RFC 5280. This issue has been addressed in EJBCA 7.8.0.1 by reducing the validity of CRLs and OCSP responses by 1 second.
ACME Redirect Ports updated to comply with CA/Browser Forum Baseline Requirements 1.7.6
BR 1.7.6, as defined in SC44, clarified the validity of redirect ports if followed by the CA. It was found that EJBCA follows a 302 status code on port 8080, which is not in the list of approved ports. This has been fixed in EJBCA 7.8.0.
Security Issues
Audience Claims not required by default
Upon review of our OAuth implementation, it was found that not requiring the aud claim to be defined provides potential for known users to access EJBCA using a valid claim meant for a different audience. A new field has been added to the OAuth configuration, where the aud claim must be filled in for each defined provider. Upon upgrading, you will be prompted to fill in this field before performing post-upgrade. Two weeks after the release of EJBCA 7.8.0 this issue will be reported as a CVE.
Severity
- Medium – an attacker would still need to have a valid OAuth token with other claims valid for a defined role, but intended for a different audience.
Upgrade Information
Review the EJBCA 7.8 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
EJBCA 7.8.0.1 is included in EJBCA Hardware Appliance 3.9.1 and EJBCA Cloud 2.9.0 and can be deployed as EJBCA Software Appliance.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in EJBCA 7.8.0 and 7.8.0.1, refer to our JIRA Issue Tracker.
Issues Resolved in 7.8.0.1
Released October 2021
Improvements
ECA-10327 - Reduce CRL and OCSP Validities by 1 second
Bug Fixes
ECA-10303 - Throwaway CA Revocation Broken in 7.6.0
Issues Resolved in 7.8.0
Released September 2021
Improvements
ECA-8561 - Add a validation check for Configdump Handlers
ECA-9685 - Improve German translation for AdminWeb and RA
ECA-9752 - Access control too restrictive when searching for end entities using EjbcaWS.findUser
ECA-10069 - Enroll menu in the RA web is not shown until the rule create_end_entity is set to Allowed
ECA-10120 - Deploying EJBCA with oracle 19c DB
ECA-10183 - CABF Compliance: EJBCA follows redirect to other ports than BR 1.7.6 Authorized Ports when validating ACME http-01 challenge
ECA-10205 - Would like to be able to specify key sizes and curves in clientToolBox stresstest
ECA-10208 - Fix message typo: modifyable = modifiable
ECA-10235 - Documentation: Not possible to use custom DN attributes with number 200, as recommended in sample file
ECA-10247 - Ant target for ACME system tests is broken
ECA-10248 - Security issue
ECA-10249 - Extend CLI recover command with delta functionality
ECA-10309 - Implement transaction-aware direct publishing
Bug Fixes
ECA-9235 - Validity of CVC certificate view in RA web should display only full days
ECA-9551 - Permission Loss on EEP Import
ECA-9850 - Configdump exports "CAs to check" for Services, even when it is not applicable
ECA-9991 - Regex validation breaks Certificate Profile field update
ECA-10068 - Possible to view end entities in RA web though the role is set to Deny
ECA-10071 - Enrollment code can not be empty when setting status to generated in RA Web
ECA-10142 - Regression: Notification Subject field in End Entity Profile currently max 40 characters.
ECA-10147 - CA activation should not require /ca_functionality/edit_ca access
ECA-10182 - OAuth is not working with Ping ID
ECA-10185 - REST endentity add user with PEM token fails
ECA-10190 - EST Client mode does not properly parse DN for UID attribute
ECA-10191 - Cannot edit end entity after enabling revocation upon issuance
ECA-10192 - Issuance revocation reason not set by the RA web
ECA-10193 - Pre-Sign Linting is Not Possible for a CA with P-384
ECA-10199 - Enrollment with PublicWeb does not consider the key specification selected by the user
ECA-10200 - Clicking on Audit Log Details column scrolls to the top left of the page
ECA-10201 - The text in the "Profile Description" field of the End Entity profile is not holding after saving the End Entity profile.
ECA-10204 - Proper formatting for worker.properties when creating OCSP Presigner service using ejbca.sh cli
ECA-10210 - OCSP Transaction / Audit log upgrade doesn't work
ECA-10212 - Multiple COUNTRYOFCITIZENSHIP / COUNTRYOFRESIDENCE are silently discarded
ECA-10215 - Database interruption during publishing can cause certificates to be lost
ECA-10218 - Custom extension of type BITSTRING is encoded with double bytes when empty octet is removed
ECA-10220 - Regression: ManagementCA fails to renew due to OID error, after editing CA
ECA-10233 - Why does ant runinstall set the clear password
ECA-10240 - Complete description texts for fields in the AcmeConfiguration
ECA-10241 - Autoenrollment menu link not visible in add/search end entity pages
ECA-10244 - RA Web Search for Certificate by full serial name does not work with Serial Number Octet Size less than 8
ECA-10246 - Fix ACME Name Generation Scheme Re-enrollement + Tests
ECA-10277 - Security Issue
ECA-10289 - Upgrade problem EJBCA 7.4.3 to 7.7.0
ECA-10290 - fix ConfigdumpOAuthKeyInfoUnitTest
ECA-10305 - Implement EJBCA CLI command for getting relevant truststore
ECA-10315 - Error when attempting to set name constraints via EJBCA WS