Skip to main content

EJBCA Security Advisory - Revocation check not performed on EST client certificate - News / PrimeKey Announcements - PrimeKey Support

Aug 27 2020

EJBCA Security Advisory - Revocation check not performed on EST client certificate

Authors list

EJBCA Security Advisory - Revocation check not performed on EST client certificate

Dear Customers and Partners,

PrimeKey has released an update to address a vulnerability in EJBCA. As a part of PrimeKey's new policy, we will be submitting this issue publicly as a CVE two weeks after alerting customers

Issue Summary

During internal testing it was found that when using a client certificate to enroll over the EST protocol, not revocation check is performed on that certificate. 

Who is potentially affected

You may be affected if you use EST enrollment with client certificates and have revoked such a certificate in the past. 

Who is not affected

You are not affected by this advisory if you are not using ESTl.

Severity

PrimeKey rates the issue as having low impact and low probability.

Risk Assessment

Impact is low as client certificates are rarely revoked. 

Vulnerability

This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate enrollment, and has had such a certificate revoked. This certificate needs to belong to a role which is authorized to enroll new end entities.

How to check if you are affected

On the CA, enter the CA UI and verify if EST is enabled and has an alias configured to use a client certificate. 

Mitigation

To completely mitigate this problem prior to upgrade, remove any revoked client certificates from their respective roles. 

Fixes

A software update has been released in EJBCA Enterprise  7.4.1

For more information, see the release notes included in the documentation for this release.

EJBCA 7.4.1 is included in Appliance version 3.5.3 and EJBCA Cloud 2.3.

If you have any questions, please contact support.

Contact us:


support@primekey.com


Global support number: +1 251 317 6984