EJBCA 7.8.2 Release Notes
FEBRUARY 2022
The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.8.2.
This minor release is mainly an upgrade of the log4j library to the latest version of log4j2.
Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.
Highlights
Log4j Upgrade
As has been stated before, EJBCA was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that EJBCA handles logging through JBoss EAP/Wildfly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that many of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about EJBCA being vulnerable.
SaferDailyRollingFileAppender Deprecated
The SaferDailyRollingFileAppender (which was activated by settingocsp.log-safer = true in ocsp.properties) has been deprecated and removed due to incompatibles with the Log4J upgrade. Setting this value true caused a transaction rollback in case the server logs could not be written to, and was a corner case for certain VAs with legal requirements to log all OCSP traffic to log. This setting is no longer supported by EJBCA.
CMP over TCP Deprecated
We have been considering sunsetting and then deprecating support for CMP over TCP for a while, but due to incompatibilities with the Log4J upgrade we've chosen to accelerate the schedule. From 7.8.2 and onwards CMP over TCP is no longer supported by EJBCA or by the legacy CMP Proxy. Support for CMP over HTTP is unaffected.
Upgrade Information
Review the EJBCA 7.8.2 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
EJBCA 7.8.2 is included in EJBCA Hardware Appliance 3.9.4 and EJBCA Cloud 2.9.3 and can be deployed as EJBCA Software Appliance.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in EJBCA 7.8.2, refer to our JIRA Issue Tracker.
Issues Resolved in 7.8.2
Released February 2022
Improvements
ECA-10479 - Library upgrade
ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect
ECA-10501 - Remove support for CMP over TCP
ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2
ECA-10509 - Remove SaferDaily, SigningDaily and ScriptrunningDailyRollingFileAppender
ECA-10510 - Upgrade Appender in TestLogAppenderResource to Log4J2
ECA-10530 - Update standalone scripts with log4j compatability flag
ECA-10531 - Resolve test failures after log4j upgrade
Bug Fixes
ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE
ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms
ECA-10532 - Fix ACME issuance of certificates with non-validated domains