Executive Summary

The vulnerability exists in epa4all-client, the Java client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Before version 1.2.2, an attacker positioned on the network path between the ePA service and the Konnektor can present any TLS certificate—whether self-signed, expired, or with the wrong common name—and successfully intercept all SOAP traffic.

This means the attacker can perform a man-in-the-middle attack, bypassing TLS certificate validation, and capture sensitive data transmitted between the client and service.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to intercept sensitive information including patient identifiers (KVNR), SMC-B card operations such as authentication and signing, document content, and credential exchanges.

Such interception can lead to unauthorized access to confidential patient data, compromise of authentication mechanisms, and potential misuse of credentials, severely impacting data confidentiality and integrity.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the epa4all-client to version 1.2.2 or later, as this version fixes the issue where an attacker can present any TLS certificate and intercept SOAP traffic.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker on the network path to intercept all SOAP traffic, including sensitive patient identifiers, authentication operations, document content, and credential exchanges. Such interception of sensitive personal health information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and health data against unauthorized access and disclosure.

Specifically, the exposure of patient identifiers and health-related data through interception violates principles of confidentiality and data integrity mandated by these regulations.

Useful 0 Not Useful 0