MTS Security Product News
JSS 2022.06.7
This minor release includes CVE Supressions/Third Party updates.
--------------------------------------------------------
JSS 2023.01.7
This Bugfix release fixes a bug where cancellation of an asynchronous function call could stall the system for up to several hours, depending on configuration.
--------------------------------------------------------
ESS 2023.04.4
This minor release includes CVE Supressions/Third Party updates.
--------------------------------------------------------------
ESS 2023.04.1 released
This is a third party library update release.
Library updates
- Updates JSS Dependencies to version 2023.01.6 due to CVE-2023-34462
- Updates Spring Dependencies to version 5.3.27 for compatibility with new JSS
- Updates Netty Dependencies to version 4.1.94.Final due to CVE-2023-34462
- Updates Guava Dependencies to version 32.0.1-jre due to CVE-2023-2976
-----------------------------------------------------------------------------------------------------------
JSS 2023.01.6 released
This is a third party library update release.
Library updates
- Updates Apache Tomcat Dependencies to version 9.0.75 due to CVE-2023-34981
- Updates Guava Dependencies to version 32.0.1-jre due to CVE-2023-2976
- Updates Netty Dependencies to version 4.1.94.Final due to CVE-2023-34462
- Updates Spring Boot Dependencies to version 2.7.12' due to CVE-2023-20883
CVE Suppressions
- CVE-2023-35116 suppressed, as response structures are fix cannot be influenced by user input. Therefore, cyclic dependencies are not possible.
-----------------------------------------------------------------------------------------------------------
JSS 2023.01.5 released
This is a third party library update release.
Library updates
- Updates Spring Dependencies to version 5.3.27 due to CVE-2023-20863
- Updates Spring Boot Dependencies to version 5.7.11 due to CVE-2023-20873
- Updates Spring Security Dependencies to version 5.7.7 due to CVE-2023-20862
ESS Release 2023.04.0
This feature release aims at addressing the upcoming needs for market communication.
Bugfixes:
- ESS-637 VerifyFirmware API does not accept Base64 encoded firmware anymore
- ESS-740 Some services did not check request parameters
- ESS-754 Fixed jdk.disabled.namedCurves with entries unsupported by the JDK lead to an error
- ESS-758 Key managers do not respect key type
- ESS-761 Null Pointer Exception in KeyRetriever
- ESS-772 Support logback XML configurations
- ESS-773 LDAP query should use "wholeSubtree" instead of "subordinatesSubtree"
New Features
- ESS-750 Support key passwords in TlsCoreConfig
- ESS-752 Enable deprecated functions 0e2s Encrypt/Decrypt again
- ESS-762 Improve Logs
- ESS-763 Add configuration option for AbstractRestServiceUnit thread pool size
- ESS-767 New CryptoSupport service "Create MACO Cert Request"
- ESS-768 New PKI-Manager service "Process MACO Certificate Request Synchronously"
- ESS-774 Support LDAPS queries identified by "market partner ID"
-----------------------------------------------------------------------------------------------------------
JSS 2023.01.4 released
This is a minor feature release.
New feature:
- JSS-1305 (https://jira.worldline.com/browse/JSS-1305) Support new ECDSA Signature algorithms: In order to support signature algorithms that do not ASN.1 encode the signature bytes but P1363, e.g., SHA256withECDSAinP1363Format , support has been added to JSSJCAProvider (see JDK-8042967 (https://bugs.java.com/bugdatabase/view_bug?bug_id=8042967)).
As this could lead to faulty behavior when using JSSJCAProvider with JDK 9 or later versions we decided to deliver this feature as a hotfix.
-------------------------------------------------------------------------------------------------------------
JSS 2023.01.3 released
This is a third party library update release.
Library updates
- Updates Spring Boot Dependencies to version 2.7.10 due to CVE-2023-28708 in embedded tomcat.
Same applies to JSS releases for older yet maintained releases JSS 2022.06.4 and JSS 2022.03.5.
---------------------------------------------------------------------------------------------------------------------------------------------------
ESS 2021.11.6 released
This is a third party library update release.
- Updates Apache CXRF to version 3.4.10 due to CVE-2022-46363 and CVE-2022-46364
- Updates FasterXML Jackson to version 2.13.5 due to CVE-2022-42003 and CVE-2022-42004
- Updates Netty to version 4.1.86.Final due to CVE-2022-41881
- Updates Resteasy to version 5.0.5.Final due to CVE-2023-0482
- Updates Spring to version 5.3.26 due to CVE-2023-20861
- Updates FasterXML Woodstox to version 6.4.0 due to CVE-2022-40152
Due to the large number, framework character and impact of these interconnected library updates we more than ever advice on rolling this update on testing environments first.
---------------------------------------------------------------------------------------------------------------------------------------------------
JSS 2023.01.2 released
This is a bugfix and third party library update release.
Bugfixes
- JSS-1304: PCIAuditLog Checkbox for TLS
Directly loading audit logs with the JSS Maintenance Client from an HSM wasnot yet possible due to missing TLS checkbox. This has been fixed.
Library updates - Updates Spring to version 5.3.26 due to CVE-2023-20860 (https://spring.io/security/cve-2023-20860) and CVE-2023-20861 (https://spring.io/security/cve-2023-20861)
- Updates Snakeyaml due to CVE-2022-1471(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1471)
Also take note on JSS hotfix releases for older yet maintained releases JSS 2022.06.3 and JSS 2022.03.4 that also bump the underlying spring framework version.
---------------------------------------------------------------------------------------------------------------------------------------------------
JSS 2023.01.1 released
This is a bugfix release.
Bugfixes
- JSS-1302: Runtime deliverable included antlr framework
Erroneously, some ANTLR libraries that are only necessary for the build process were also included in the distribution. These libraries are now excluded.
- JSS-1303: AbstractSignature does not delegate algorithm parameters in engineInitSign (PrivateKey, SecureRandom) AbstractSignature.engineInitSign(PrivateKey,SecureRandom) did not delegate algorithm parameters to another provider.
This has been fixed.
---------------------------------------------------------------------------------------------------------------------------------------------------
Worldline PKI Appliance Release 2022.02 Application 4.0.13 Bugfix 2023.02.23
This is a bugfix release.
- PKIDEVAC-31: API Service isn’t deployed when the database is unreachable
Whit this release emCAServices can get deployed even if the database is unreachable.
This has been fixed.
---------------------------------------------------------------------------------------------------------------------------------------------------
JSS 2023.01.0 released 02.02.2023
This is a feature and bugfix release.
It introduces support for the ASM 8.9a firmware version together with several new and updated runtime APIs.
Several classes and methods, that have been deprecated for a while, where now removed.
---------------------------------------------------------------------------------------------------------------------------------------------------
JSS 2022.03.3 and 2022.06.2 released 25.01.2023
These are third party library update releases. Most importantly, both releases contain the HSQLDB version 2.7.1 due to CVE-2022-41853. Please see the release notes for further information.
---------------------------------------------------------------------------------------------------------------------------------------------------
PrimeKey Hardware Appliance 3.11 11.01.2022
PrimeKey has released version 3.11 of the PKI hardware appliance. In this version several bugs were fixed and features added. For more information please visit https://doc.primekey.com/ejbca-appliance/release-notes/hardware-appliance-3-11-release-notes
---------------------------------------------------------------------------------------------------------------------------------------------------
ESS 2021.11.5 08.11.2022
This release solves possible bottlenecks in REST services. Users may now configure thread pool sizes for the Crypto Support and Supervisor.
---------------------------------------------------------------------------------------------------------------------------------------------------
JSS 2022.06.1 released 24.10.2022
This is a feature release. This release introduces support for the ASM 8.8b firmware version. Please see the release notes for further information.
---------------------------------------------------------------------------------------------------------------------------------------------------
JSS 2022.06.0 released 08.06.2022 This is a feature and bugfix release.
It introduces support for the ASM 8.8a firmware version together with several new and updated runtime APIs.
This release also sees a major change in the JSS codebase, as the shift from a former Atos Company to Worldline is reflected in all package names.
ESS 2021.11.4 released 04.05.2022
This is a bugfix release.
JSS 2022.03.0 released 31.03.2022
This is a feature and bugfix release.
The release is focused on the rework of the JSS Maintenance Server network engine for HSM communication, addition of payment functionality to RESTful API and support for new ASM 8.7b. Starting with this release, we will publish a changelog to companion the release notes in order to better highlight on necessary migrations from an integration perspective.
ESS 2021.11.2 released 16.02.2022
This release adds functions that were deprecated and removed but are still in use.
ESS 2021.11.1 released 22.12.2021
This release is a dependency update release of Worldline Energy Security Suite 2021.11.x, due to found CVEs in used third party libraries.
JSS 2021.12.0 released 21.12.2021
This is a regular feature and bugfix release.
It mainly focuses on replacing the outdated remoting technology used in the JSS Maintenance Server and providing support for the upcoming ASM8.7 firmware release.
As usual, make sure to recompile your applications against the new JSS Runtime in order to detect any incompatibilities.
This release is a dependency update release of Worldline Energy Security Suite 2.7.x, due to found CVEs in used third party libraries.
ESS 2.7.6 released 13.12.2021
This release is a dependency update release of Worldline Energy Security Suite 2.7.x, due to found CVEs in used third party libraries.
ASM 8.7a released 13.12.2021
This release 8.7a provides the major topics:
· Introduction of Remote Clear Key Entry by means of a KED (key entry device) for remote import of clear key components. This will be an alternative to local key import via PIN pad
· PCI PTS HSM V3 certification and German DK approval
Support of triple-DES key block protection keys (KBPK) in TR-31 key blocks
ESS 2021.11.0 released 01.12.2021
This is a regular feature and bugfix release.
It mainly focuses on providing strategies to optimize firmware download and on the replacement of Codehale Metrics with MicroMeter.
ESS 2.7.5 released 21.10.2021
ESS Release 2.7.5 is a bugfix release for Worldline ESS 2.7.x.
This patch fixes an issue when a CRL download is redirected using a different protocol, like an escalation from http to https.
PrimeKey Appliance Update 3.9.1 and EJBCA 7.8.0.1 released 19.10.2021
PrimeKey has released the new Software Version 3.9.1 for the PrimeKey Appliance. This update also includes an update to EJBCA EE 7.8.0.1 Full details of the publication can be found on the PrimeKey website: https://doc.primekey.com/ejbca-appliance/release-notes/hardware-appliance-3-9-1-release-notes
The Update contains the following changes:
· Transaction Handling for Publishers improved
A failure in direct publishing does not lead to a complete rollback, but the certificate is still issued and can be managed accordingly. This was done to improve publishing in the context of Certificate Transparency (CT).
· CRL and OCSP Validity Compliance
EJBCA had added 1 second of validity to CRLs and OCSP replies too much and corrected this in order to comply to RFC 5280. This issue is relevant to PKI in the context of CA/B rather than internally operated PKIs.
These changes to the best of our knowledge do not affect any of our customers directly. The update can therefore based on the software changes be postponed to a later point in time.
This update also included one medium Security patch:
· Audience Claims not required by default
Medium – an attacker would still need to have a valid OAuth token with other claims valid for a defined role, but intended for a different audience.
It is generally recommended to apply any Security Patch as soon as possible. As the above Security Patches do to the best of our knowledge however not immediately affect our customers, these patches may also be applied along with the next update as well.
JSS 2021.09.0 released 30.09.2021
This is a regular feature and bugfix release.
It mainly focuses on extending the API provided by the JSS RESTful server. The JSS RESTful server now has added support for a first bunch of Card Management and Payment functions.
As usual, make sure to recompile your applications against the new JSS Runtime in order to detect any incompatibilities.
JSS 2021.07.2 released 19.08.2021
JSS version 2021.07.1 received a patch release today:
JSS 2021.07.2 fixes a security vulnerability with the JSS MaintServer where stacktraces of server errors revealed information about internally used libraries. In addition to that the library version of the Jetty web server component has been upgraded due to a found vulnerability in the NIST CVE database.
JSS 2021.07.1 released 16.07.2021
JSS version 2021.07.0 received a patch release today:
JSS 2021.07.1 fixes a bug in the JSS Maintenance GUI that prevented to create Certificate Import PIN Pad Templates for EGK root certificates. This release now allows to select the appropriate Key Context for these certificate types.
JSS 2021.07.0 released 07.07.2021
The new JSS Release 2021.07.0 has just been released.
This is a regular feature and bugfix release. It focuses on support of the new ASM firmware 8.6a and introduces new functions for eHealth and smart metering. The JSS RESTful server now supports the complete API of DLMS/COSEM that is available in the JSS runtime. The JCA provider now supports instanced variants of JSS, which allows to use more than one JSS instance via JCA at the same time.
Additionally, the support for Codahale/Dropwizard metrics has been replaced by support for MicroMeter.
©2022 Worldline.
Contact Details
More information about the products mentioned within this news such as product flyer, data sheets, release notes or similar can be requested from the MTS Security Solutions product management. For any requests, please contact infowl-de@worldline.com.
Disclaimer
None of the functionalities, product and other descriptions contained in this document represents a guarantee in the legal sense. The document is based on assumptions made by Worldline based on currently available information (e.g. BSI SMGW-PP and BSI TR-03109) in relation to the service offered. Worldline reserves the right to adapt or modify the product and its roadmap accordingly should the assumptions change or prove not to be applicable.