Release 1.11.5

Release Date: 26/07/2024

Features

Updated CMD signature compliance with new AMA guidelines

To stay updated with the latest AMA guidelines, eSign now encrypts the CMD signature using the public key provided by AMA, starting from the frontend component (eSign viewer). The signature is still encrypted with eSign’s session key to provide an extra layer of security.

Fixes

Fixed an handwritten dialog bug that caused the canvas to be rendered incorrectly on resize.
Fixed a bug where comb fields would draw its characters out of bounds.
Fixed a bug that would not allow eSign to fully load all certificates from a given Trusted Lists (due to CA typing mysmatch).

Security Vulnerabilities

Fixed vulnerabilities

Dependency Severity Vulnerability

Dependency	Severity	Vulnerability
Apache CXF	High	CVE-2024-32007: This vulnerability involves improper input validation of the `p2c` parameter in the Apache CXF JOSE code before versions 4.0.5, 3.6.4, and 3.5.9. Attackers can exploit this flaw to perform a denial of service (DoS) attack by specifying a large value for this parameter in a token, leading to excessive resource consumption and potential service disruption. Updating to the patched versions resolves this issue.
OSSINDEX	Critical	CVE-2024-29736: A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.

Apache CXF

High

CVE-2024-32007: This vulnerability involves improper input validation of the p2c parameter in the Apache CXF JOSE code before versions 4.0.5, 3.6.4, and 3.5.9. Attackers can exploit this flaw to perform a denial of service (DoS) attack by specifying a large value for this parameter in a token, leading to excessive resource consumption and potential service disruption. Updating to the patched versions resolves this issue.

OSSINDEX

Critical

CVE-2024-29736: A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.

Known vulnerabilities

Dependency

Severity

Vulnerability

Description

Whitelisted vulnerabilities

Dependency	Vulnerability	Description
h2	CVE-2018-14335	These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments
itext-core	CVE-2022-24198	iText dismissed this CVE: "Vendor does not view this as a vulnerability and has not found it to be exploitable." https://nvd.nist.gov/vuln/detail/CVE-2022-24198
jose4j	CVE-2023-31582	This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level).
quartz	CVE-2023-39017	Quartz functionalities are not exposed to the outside. eSign provides no way of passing unchecked arguments to quartz.
spring-web	CVE-2016-1000027	Spring dismissed this CVE: "The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data." https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Dependency

Vulnerability

Description

CVE-2018-14335

These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments

itext-core

CVE-2022-24198

iText dismissed this CVE: "Vendor does not view this as a vulnerability and has not found it to be exploitable."
https://nvd.nist.gov/vuln/detail/CVE-2022-24198

jose4j

CVE-2023-31582

This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level).

quartz

CVE-2023-39017

Quartz functionalities are not exposed to the outside.
eSign provides no way of passing unchecked arguments to quartz.

spring-web

CVE-2016-1000027

Spring dismissed this CVE: "The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data."
https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Upgrade Notes

If upgrading from 1.10.x, check the migration steps to understand how to upgrade.

Breaking Changes

[none]