oviva epa4all-client TLS Certificate Validation Vulnerability Allowing Interception of SOAP Traffic

A vulnerability exists in the oviva epa4all-client Java library, specifically in versions prior to 1.2.2. This issue allows an attacker on the network path between the ePA service and the Konnektor to present any TLS certificate, including self-signed, expired, or with incorrect common names. As a result, the attacker can intercept all SOAP traffic, which includes sensitive information such as patient identifiers, SMC-B card operations (authentication and signing), document content, and credential exchanges.

Impact

Exploitation of this vulnerability allows for interception of SOAP traffic, including sensitive patient information and SMC-B card operations, creating a risk of unauthorized access to this data and operations.

Remediation

Users are advised to update to version 1.2.2, where this vulnerability has been patched. Instructions for updating can be found in the GitHub repository's release notes.