Hotfix 1.10.14

Release Date: 10/09/2024

Key features

Compliance Validate

Improved oid validation and added QCStatement validation to the already implemented OID validation.

Compliance Validate is now more robust, displaying specific advanced certificate characteristics (OIDs) and qcStatement (OIDs) in the validation service and portal. You can also extend this feature to display additional OIDs.

Use property pdf.validation.oids.keys.values to add new OIDs.
Use property pdf.validation.oids.enabled to enable/disable this feature (enabled by default)

CRL signing

Now Signature Addins may specify if they support CRL signing or not. This will enable systems to not embed CRL in their signatures while still validating certificate chains with such CRLs.

This allows to still validate the validity of signing certificates without the need to embed the CRL in the signature.

Configurable TSL endpoint reading

Following recent additions to CA urls in some European TSLs, the endpoints are now configurable in the eSign’s trustedstore.

This will not only make it up to date with the latest TSL URLs for Certificate Authorities, but also allow for easy additions in the future without the need for a new release.

Fixes

Fixed a bug where sometimes OCSP requests would not be properly done due to badly formatted third party certificate chains.

Security Vulnerabilities

Fixed vulnerabilities

None

Known vulnerabilities

Dependency	Severity	Vulnerability	Description
bouncycastle	MEDIUM	CVE-2023-33202	The iText 7.1.x and 7.2.x suite relies on version 1.67 of the BouncyCastle provider. We have reached out to the vendor, who has assured us that a solution is forthcoming.

Dependency

Severity

Vulnerability

Description

bouncycastle

MEDIUM

CVE-2023-33202

The iText 7.1.x and 7.2.x suite relies on version 1.67 of the BouncyCastle provider. We have reached out to the vendor, who has assured us that a solution is forthcoming.

Whitelist vulnerabilities

Dependency	Vulnerability	Description
spring-web	CVE-2016-1000027	Spring dismissed this CVE: "The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data." https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
spring-web	CVE-2024-22243	eSign does not use the affected component of Spring. The vulnerability is not applicable to eSign: _"Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks."
jackson-databind	CVE-2023-35116	"The vendor’s perspective is that the product is not intended for use with untrusted input." https://nvd.nist.gov/vuln/detail/CVE-2023-35116
liquibase-core	CVE-2022-0839	This vulnerability does not affect eSign as it does not support external inputs to liquibase libraries
h2	CVE-2021-42392 CVE-2022-23221 CVE-2021-23463 CVE-2022-45868 CVE-2018-14335	These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments
itext-core	CVE-2022-24198	iText dismissed this CVE: "Vendor does not view this as a vulnerability and has not found it to be exploitable." https://nvd.nist.gov/vuln/detail/CVE-2022-24198
itext-*	CVE-2021-43113	This library is included in iText’s bundle but eSign never uses said library. Removed from eSign 1.11.0 and upwards.
quartz	CVE-2023-39017	Quartz functionalities are not exposed to the outside. eSign provides no way of passing unchecked arguments to quartz.
jose4j	CVE-2023-31582	This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level).

Dependency

Vulnerability

Description

spring-web

CVE-2016-1000027

Spring dismissed this CVE:

"The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data."
https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

spring-web

CVE-2024-22243

eSign does not use the affected component of Spring. The vulnerability is not applicable to eSign:

_"Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks."

jackson-databind

CVE-2023-35116

"The vendor’s perspective is that the product is not intended for use with untrusted input."
https://nvd.nist.gov/vuln/detail/CVE-2023-35116

liquibase-core

CVE-2022-0839

This vulnerability does not affect eSign as it does not support external inputs to liquibase libraries

CVE-2021-42392
CVE-2022-23221
CVE-2021-23463
CVE-2022-45868
CVE-2018-14335

These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments

itext-core

CVE-2022-24198

iText dismissed this CVE:

"Vendor does not view this as a vulnerability and has not found it to be exploitable."
https://nvd.nist.gov/vuln/detail/CVE-2022-24198

itext-*

CVE-2021-43113

This library is included in iText’s bundle but eSign never uses said library. Removed from eSign 1.11.0 and upwards.

quartz

CVE-2023-39017

Quartz functionalities are not exposed to the outside.
eSign provides no way of passing unchecked arguments to quartz.

jose4j

CVE-2023-31582

This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level).