Skip to main content
Skip table of contents

EJBCA Hardware Appliance 5.3 Release Notes

MAY 2026

We are pleased to announce the release of EJBCA Hardware Appliance 5.3.

With this release, we have added support for comprehensive network customization and streamlined operations by introducing user-configurable static network routes directly in the WebConf. The release also brings significant automation enhancements for large-scale deployments, drastically reducing the time and manual effort required to provision new appliance instances.

The release also brings critical security hardening against CVE-2026-31431, CVE-2026-43284, CVE-2026-43500 & CVE-2026-46300, alongside an upgrade of the u.trust quantum protect modules to version 1.5.0.0 and a new dropdown menu allows administrators to specify whether to generate a new Administration Smart Card or to reuse an existing card to quickly establish the initial setup environment.

Highlights

New version of EJBCA Enterprise

EJBCA Enterprise has been updated to version 9.6. For more information,
see the EJBCA Release Notes.

Customizable Static Network Routes

Customers can now configure static network routes per interface directly within the WebConf UI. This provides enhanced flexibility in complex network environments, allowing the appliance to securely connect to external systems—such as network-attached HSMs—that are not reachable via the default gateway.

Automated Deployments & Configuration

To streamline and accelerate large-scale rollouts, this release introduces support for automated network configuration and deployment. System administrators can now provision and configure the appliance efficiently without needing manual, step-by-step intervention for every single node.

There will be limitations e.g. no Cluster scenario configuration supported yet.
For more information see Automated Deployment.

Improvements and Corrections

The following lists other improvements and corrections included in the release.

  • Kernel Security Hardening (CVE-2026-31431): Disables the algif_aead kernel component to proactively eliminate a potential local privilege escalation vulnerability, ensuring the highest level of underlying platform security.

  • Mitigation of DirtyFrag Vulnerabilities (CVE-2026-43284 & CVE-2026-43500): Applies patches to resolve the "DirtyFrag" security flaws within kernel networking components.

  • Mitigation of Fragnasia Vulnerability (CVE-2026-46300): Resolves the "Fragnasia" security threat by implementing the required kernel-level network updates. This protects the appliance from network fragment exploitation risks similar to the DirtyFrag vulnerability family.

  • OpenSSL CVEs 2026
    Upgraded packages to address and remediate identified OpenSSL vulnerabilities.

    • CVE-2026-31790 - Incorrect Failure Handling in RSA KEM RSASVE Encapsulation

    • CVE-2026-28387 – Potential use-after-free in DANE client code

    • CVE-2026-31789 – Heap buffer overflow in hexadecimal conversion on 32-bit platforms

  • Quantum Protect Module Upgrade:
    Upgrades the Utimaco u.trust quantum protect modules to version 1.5.0.0, delivering improved cryptographic stability and readiness for next-generation security standards. This update resolves a critical limitation in version 5.2.2, where generating Post-Quantum Cryptography (PQC) keys and certificates on u.trust hardware was not possible.

  • ADMIN Card import during Initialization (Utimaco u.trust): The appliance initialization workflow now supports reading the Administration Smart Card during the setup. A new dropdown menu allows administrators to specify whether to generate a new Administration Smart Card or to reuse an existing card to quickly establish the initial setup environment.

Upgrade Information

For information on the required steps to update the EJBCA Hardware Appliance,
see Settings: Appliance Update.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close