Issue summary
The certificate distribution servlet /ejbca/ra/cert is prone to a partial denial of service attack due to an authentication issue. In configurations using OAuth, disclosure of CA certificates (attributes and public keys) to unauthenticated or underprivileged users may occur.
Severity
Keyfactor rates the severity as medium.
Who is potentially affected?
- Any installation that exposes the URL /ejbca/ra/cert to public users and/or restricted users is prone to a partial denial of service for certificate distribution using this URL.
- Installations configured with OAuth authentication and separation of CA visibility are prone to disclosure of CA certificates to unauthenticated users.
Who is not affected?
- Installations where the URL /ejbca/ra/cert URL is blocked by a reverse proxy
- Installations where /ejbca/ra/ is disabled via EJBCA's protocol configuration
Risk assessment
- Installations relying on certificate distribution via /ejbca/ra/cert are at risk, as unauthenticated users may trigger partial denial of service for this endpoint.
- In installations using OAuth for authentication AND if the URL is also accessed by authenticated users, this vulnerability may cause disclosure of CA certificates (attributes and public keys) using the RA Web interface to unauthenticated or underprivileged users. Note that CA certificates are often considered public information and available by default via EJBCA's servlets and protocols unless explicitly blocked.
The issue does not affect any other URLs or access protocols.
Vulnerability vectors
Unauthenticated users with access to the RA Web may be able to cause partial denial of service or information disclosure.
How to check if you are affected
If the RA web is enabled under System Configuration > Protocol Configuration, then you are affected unless the URL /ejbca/ra/cert is blocked by other means.
If the RA web is enabled, check your server log for accesses to the URL path /ejbca/ra/cert
Mitigation
- Upgrade to EJBCA 8.0. EJBCA 8.0.0 is included in EJBCA SW Appliance 3.2, EJBCA HW Appliance 3.12 and EJBCA Cloud 3.2.
- Prior to upgrade, the following mitigations can be applied:
- Block unauthenticated access to the URL path /ejbca/ra/cert in the application server (e.g. WildFly) or reverse proxy. If authenticated users should have restrictions on which CAs they can see, block the URL for all users.
- Alternatively, disable the whole RA Web in System Configuration -> Protocol Configuration.
After applying mitigations, the application servers of the exposed EJBCA nodes must be restarted.
Additional information
Should you have any additional questions, please reach out to support@keyfactor.com.
Related to: