EJBCA Security Advisory - CMP Revocation Ignores Multi Tenancy Constraints
Dear Customers and Partners,
PrimeKey has released an update to address a vulnerability in EJBCA found as a part of our internal testing.
As a part of PrimeKey's new policy, we will be submitting this issue publicly as a CVE two weeks after alerting customers
CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.
Who is potentially affected
You may be affected if you are running CMP with RA mode enabled with multiple tenants.
PrimeKey rates the issue as having medium impact and low probability.
Impact is medium as it would allow a trusted tenant to perform Denial-of-Service attacks on other tenants. Probability is low as this tenant already needs to be a trusted party.
You may be affected if you are using CMP in RA mode, hosting multiple tenants.
How to check if you are affected
Verify with your tenants that no unplanned revocations have taken place.
A software update has been released in EJBCA Enterprise 7.6.0.
For more information, see the release notes included in the documentation for this release.
EJBCA 7.6.0 is included in Appliance version 3.8.0 and EJBCA Cloud y.y.
If you have any questions, please contact support.