The certificate distribution servlet /ejbca/ra/cert is prone to a partial denial of service attack due to an authentication issue. In configurations using OAuth, disclosure of CA certificates (attributes and public keys) to unauthenticated or underprivileged users may occur.
Who is potentially affected
- Any installation that exposes the URL /ejbca/ra/cert to public users and/or restricted user is prone to a partial denial of service for certificate distribution using this URL.
- Installations configured with OAuth authentication and separation of CA visibility are prone to disclosure of CA certificates to unauthenticated users.
Who is not affected
Installations where the URL /ejbca/ra/cert URL is blocked by a reverse proxy.
Installations where /ejbca/ra/ is disabled via EJBCA's protocol configuration.
Keyfactor rates the severity as medium.
- Installations relying on certificate distribution via /ejbca/ra/cert are at risk as unauthenticated users may trigger partial denial of service for this endpoint.
- In installations using OAuth for authentication AND if the URL is also accessed by authenticated users, this vulnerability may cause disclosure of CA certificates (attributes and public keys) using the RA Web interface to unauthenticated or underprivileged users. Note that CA certificates are often considered public information and available by default via EJBCA's servlets and protocols unless explicitly blocked.
The issue does not affect any other URLs or access protocols.
Unauthenticated users with access to the RA Web may be able to cause partial denial of service or information disclosure.
How to check if you are affected
If the RA web is enabled under System Configuration > Protocol Configuration, then you are affected unless the URL /ejbca/ra/cert is blocked by other means.
If the RA web is enabled, check your server log for accesses to the URL path /ejbca/ra/cert
Upgrade to EJBCA 8.0.
EJBCA 8.0.0 is included in EJBCA SW Appliance 3.2, EJBCA HW Appliance 3.12 and EJBCA Cloud 3.2.
Prior to upgrade, the following mitigations can be applied:
Block unauthenticated access to the URL path /ejbca/ra/cert in the application server (e.g. WildFly) or reverse proxy. If authenticated users should have restrictions on which CAs they can see, block the URL for all users.
Alternatively, disable the whole RA Web in System Configuration -> Protocol Configuration.
After applying mitigations, the application servers of the exposed EJBCA nodes must be restarted.
Articles in this section
- [Important Notice] - Keyfactor Universal Orchestrator Framework Issue in Command versions 10.3-10.5 [UPDATED 2/7/2024]
- EJBCA Security Advisory: Partial denial of service attack on certificate distribution servlet /ejbca/ra/cert
- Details for EJBCA Security Advisory - Vulnerability in Apache Batik(CVE-2019-17566)