Log4j Upgrade

As has been stated before, SignServer was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that SignServer handles logging through JBoss EAP/WildFly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that some of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about SignServer being vulnerable.

Issues Resolved in 5.8.2

Released February 2022

New Features

DSS-2334 - System tests using already configured Peers connection

Improvements

DSS-2403 - Update documentation for WildFly 24

DSS-2424 - Upgrade log4j library

DSS-2206 - CESeCore Merge: Configure full Azure Key Vault Name which would include the DNS FQDN

DSS-2418 - Upgrade JackNJI11 to include "Keep memory in template" fix

DSS-2427 - Unduplicate P11NG CLI code both in P11NG-Common and P11NG-CLI

DSS-2431 - Upgrade SLF4J

Bug Fixes

DSS-1773 - P11NG CLI - 'oneTimePerformanceTest' action with ShortLived RSA key causes process crash

DSS-2409 - Apache HttpClient not deployed with signserver.ear unless peers module included

DSS-2411 - Public key objects not removed with P11NG removeKey method

DSS-2413 - Key objects created when generating a wrapped key not explicitly removed

DSS-2414 - Unwrapped key not released properly after generating CSR

DSS-2416 - Unit test signature verification not checked properly in CMSSignerUnitTest