Dear Customers and Partners,
PrimeKey has released an update to address a vulnerability in EJBCA found as a part of our internal testing. As a part of PrimeKey's new policy, we will be submitting this issue publicly as a CVE two weeks after alerting customers
In the implementation of our OAuth authentication to the EJBCA UI, the audience (aud) claim was not required to be checked by default. The consequence of this is that a user could potentially use a valid claim issued for a different audience to access EJBCA, though note that their primary claim would still have to be configured in a Role.
Note that not all OAuth providers provide aud claims, but notably Azure OAuth does.
Who is potentially affected
Anybody using OAuth to access EJBCA, from a provider that assumes that an audience claim will be checked.
PrimeKey rates the issue as having medium impact and low probability.
Impact is medium as an attacker would potentially gain access to an unintended Role. Probability is low as such an attacker would need to first get access to a valid OAuth token, then that a Role be configured to the claim in that token but for a different intended audience.
Anybody using OAuth to access EJBCA.
This issue has been fixed in EJBCA 7.8.0 and later. When upgrading to EJBCA 7.8.0, the prior to performing post-upgrade you will be prompted to fill in the aud claim for any defined OAuth providers.
EJBCA 7.8.0 is included in Appliance version 3.9.1 and EJBCA Cloud 2.9.0
If you have any questions, please contact support.