EJBCA 7.8.2 Release Notes

FEBRUARY 2022

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.8.2.

This minor release is mainly an upgrade of the log4j library to the latest version of log4j2.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

Log4j Upgrade

As has been stated before, EJBCA was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that EJBCA handles logging through JBoss EAP/Wildfly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that many of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about EJBCA being vulnerable.

SaferDailyRollingFileAppender Deprecated

The SaferDailyRollingFileAppender (which was activated by settingocsp.log-safer = true in ocsp.properties) has been deprecated and removed due to incompatibles with the Log4J upgrade. Setting this value true caused a transaction rollback in case the server logs could not be written to, and was a corner case for certain VAs with legal requirements to log all OCSP traffic to log. This setting is no longer supported by EJBCA.

CMP over TCP Deprecated

We have been considering sunsetting and then deprecating support for CMP over TCP for a while, but due to incompatibilities with the Log4J upgrade we've chosen to accelerate the schedule. From 7.8.2 and onwards CMP over TCP is no longer supported by EJBCA or by the legacy CMP Proxy. Support for CMP over HTTP is unaffected.

Upgrade Information

Review the EJBCA 7.8.2 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.8.2 is included in EJBCA Hardware Appliance 3.9.4 and EJBCA Cloud 2.9.3 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.8.2, refer to our JIRA Issue Tracker.

Issues Resolved in 7.8.2

Released February 2022

    Improvements

    ECA-10479 - Library upgrade

    ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect

    ECA-10501 - Remove support for CMP over TCP

    ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2

    ECA-10509 - Remove SaferDaily, SigningDaily and ScriptrunningDailyRollingFileAppender

    ECA-10510 - Upgrade Appender in TestLogAppenderResource to Log4J2

    ECA-10530 - Update standalone scripts with log4j compatability flag

    ECA-10531 - Resolve test failures after log4j upgrade

    Bug Fixes

    ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE

    ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms

    ECA-10532 - Fix ACME issuance of certificates with non-validated domains