EJBCA Security Advisory - Enrollment Secrets Reflected in UI

Dear Customers and Partners,

PrimeKey has released an update to address a vulnerability in EJBCA found as a part of our internal testing.

As a part of PrimeKey's new policy, we will be submitting this issue publicly as a CVE two weeks after alerting customers

Issue Summary

As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on the page. While hidden from direct view, checking the page source would reveal the secret.

Who is potentially affected

You may be affected if you are running any of the following protocols: SCEP, CMP, EST or Microsoft Auto-enrollment.

Severity

PrimeKey rates the issue as having low impact and low probability.

Risk Assessment

Impact is low as an attacker would already need to be a trusted administrator with access to the relevant configuration pages, and in all likelihood already knows the affected secrets. Probability is low since an external attacker would need to already have high level access to the EJBCA UI. 

Vulnerability

You may be affected if you are using SCEP, CMP, EST or or Microsoft Auto-enrollment.

How to check if you are affected

Verify in the audit logs that no unauthorized issuances have been made.  If there is any suspicion that a hostile party has had access to the UI, change the enrollment secrets after upgrading. 

Fixes

A software update has been released in EJBCA Enterprise 7.6.0.

For more information, see the release notes included in the documentation for this release.

EJBCA 7.6.0 is included in Appliance version 3.8.0 and EJBCA Cloud 2.7.0

If you have any questions, please contact support.