Release 1.11.4

Release Date: 02/07/2024

Features

Support for biometric key in base64 format

eSign now initializes the biometric manager and loads the public key from either the "signature.publickey.data" [key’s data in base 64 format] property or the "signature.publickey" [key’s filepath] property. If no public key is specified, a warning is logged.

Features

Improved delete logs per RSQL and/or date queries’s performance.

Fixes

Protected eSign against cases where external service signatures returned certificate chains in a wrong order, causing invalid OCSP responses to be generated.
Fixed a bug where bars appeared in front of vertices, obstructing mouse interaction.
Fixed a bug where the sustainability query would return an error due to the sum of document pages being too big.
Fixed a bug where the OTP field for two-factor authentication appeared in the signature picker modal, obstructing the interface.

Security Vulnerabilities

Fixed vulnerabilities

Dependency	Severity	Vulnerability
bcprov-jdk18on	Critical	CVE-2024-34447: This vulnerability relates to improper validation of certificates and has been addressed.
bcprov-jdk18on	High	CVE-2024-29857: The issue with excessive CPU consumption during parameter evaluation has been resolved.
bcprov-jdk18on	High	CVE-2024-30171: Timing-based leakage in RSA handshakes due to exception processing has been fixed.
bcprov-jdk18on	High	CVE-2024-30172: The infinite loop issue in Ed25519 verification code has been corrected.
cxf-core	High	CVE-2024-28752: A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
spring-web	High	CVE-2024-22243: The vulnerability in UriComponentsBuilder related to open redirect and SSRF attacks has been fixed.
spring-web	High	CVE-2024-22262: The improper input validation issue leading to various attacks has been addressed.

Dependency

Severity

Vulnerability

bcprov-jdk18on

Critical

CVE-2024-34447: This vulnerability relates to improper validation of certificates and has been addressed.

bcprov-jdk18on

High

CVE-2024-29857: The issue with excessive CPU consumption during parameter evaluation has been resolved.

bcprov-jdk18on

High

CVE-2024-30171: Timing-based leakage in RSA handshakes due to exception processing has been fixed.

bcprov-jdk18on

High

CVE-2024-30172: The infinite loop issue in Ed25519 verification code has been corrected.

cxf-core

High

CVE-2024-28752: A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

spring-web

High

CVE-2024-22243: The vulnerability in UriComponentsBuilder related to open redirect and SSRF attacks has been fixed.

spring-web

High

CVE-2024-22262: The improper input validation issue leading to various attacks has been addressed.

Known vulnerabilities

Dependency

Severity

Vulnerability

Description

Whitelisted vulnerabilities

Dependency	Vulnerability	Description
h2	CVE-2018-14335	These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments
itext-core	CVE-2022-24198	iText dismissed this CVE: "Vendor does not view this as a vulnerability and has not found it to be exploitable." https://nvd.nist.gov/vuln/detail/CVE-2022-24198
jose4j	CVE-2023-31582	This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level).
quartz	CVE-2023-39017	Quartz functionalities are not exposed to the outside. eSign provides no way of passing unchecked arguments to quartz.
spring-web	CVE-2016-1000027	Spring dismissed this CVE: "The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data." https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Dependency

Vulnerability

Description

CVE-2018-14335

These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments

itext-core

CVE-2022-24198

iText dismissed this CVE: "Vendor does not view this as a vulnerability and has not found it to be exploitable."
https://nvd.nist.gov/vuln/detail/CVE-2022-24198

jose4j

CVE-2023-31582

This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level).

quartz

CVE-2023-39017

Quartz functionalities are not exposed to the outside.
eSign provides no way of passing unchecked arguments to quartz.

spring-web

CVE-2016-1000027

Spring dismissed this CVE: "The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data."
https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Upgrade Notes

If upgrading from 1.10.x, check the migration steps to understand how to upgrade.

Breaking Changes

[none]