Tell HN: The software run by nearly every CA is affected by Log4J

6 points by DyslexicAtheist ↗ HN
PrmeKey's EJBCA[1] is the de-facto standard of PKI software sold to certificate authorities (CA). EJBCA is a Jboss based J2EE application that heavily uses log4j. And it heavily uses log4j and also seems vulnerable to log4shell.

This will end badly because despite the big talk of most CA's hardly anyone has an HSM. Secrets usually are in a database in several places I worked at. And those that do have an HSM it's just a Gemalto "soft HSM" running as a "VM appliance".

[1] https://www.ejbca.org/

5 comments

[ 3.6 ms ] story [ 32.1 ms ] thread
The CAB forum BR requires that CAs use HSMs, so I call bullshit. Those soft HSMs are used in dev environments. Unless you talk about enterprises internal CA, where the storage of keys is usually not the biggest concern.

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...

6.2.7 Private key storage on cryptographic module The CA SHALL protect its Private Key in a system or device that has been validated as meeting at least FIPS 140 level 3 or an appropriate Common Criteria Protection Profile or Security Target, EAL 4 (or higher), which includes requirements to protect the Private Key and other assets against known threats