Machine Spirits Logo
All Advisories

Oviva epa4all-client

TLS Certificate Validation Disabled in Production

The production REST service entry point builds the Konnektor connection with .trustAllServers(), installing a NaiveTrustManager whose checkServerTrusted() is a no-op, and disables the common-name check. There is no other path in the production entry point. An attacker on the network path between the ePA service and the Konnektor can present any certificate and intercept the SOAP traffic in cleartext.

Authored byChiara Fliegner, Volker Schönefeld, Simon WeberDisclosed 2026-05-11Fully disclosed 2026-05-28
SeverityHighCVSS 8.1CVSS 3.1 VectorAV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NCWECWE-295 (Improper Certificate Validation)ProductOviva epa4all-clientAffected VersionsAll versions before 1.2.2Fixed In1.2.2 (incorporates pull request #36)CVECVE-2026-45574GHSAGHSA-5hhf-xmfx-4vvr

Description

buildFactory() selects the trust-all path with no conditional or configuration gate:

Main.java:125-131

private KonnektorConnectionFactory buildFactory(Config cfg) {
    return KonnektorConnectionFactoryBuilder.newBuilder()
        .clientKeys(cfg.clientKeys())
        .konnektorUri(cfg.konnektorUri())
        .proxyServer(cfg.proxyAddress(), cfg.proxyPort())
        .trustAllServers() // currently we don't validate the server's certificate
        .build();
}

View source →

.trustAllServers() installs NaiveTrustManager, whose checkServerTrusted() is an empty method that accepts any certificate:

NaiveTrustManager.java:8-28

public class NaiveTrustManager implements X509TrustManager {
  @Override
  public void checkServerTrusted(X509Certificate[] chain, String authType) {
      // we're naive, let's just trust everything
  }
}

View source →

Hostname verification is also turned off, at KonnektorConnectionFactoryImpl.java:158 (tlsParams.setDisableCNCheck(true)). The builder method behind .trustAllServers() carries a /** DO NOT USE IN PRODUCTION! */ Javadoc, so the production entry point reaches the trust-all manager through a method explicitly marked not for production, with no alternative path in the reviewed code.

Impact

  • An attacker on the network segment between the ePA service and the Konnektor (the healthcare facility's LAN, a VPN transit hop, or TI network infrastructure) presents a self-signed certificate for any hostname; the client accepts it and the connection is established.
  • The intercepted SOAP exchange carries patient identifiers (KVNR), SMC-B card operations (authentication and signing), document content, and credential exchanges. The attacker can read and tamper with all of it.

Mitigation

Update epa4all-client to 1.2.2 or later. The fix replaces .trustAllServers() with a properly configured TrustManager that validates the Konnektor's certificate, and removes the setDisableCNCheck(true) hostname-check override. The Konnektor certificate must be validated against the appropriate trust anchor (the Konnektor's CA, which may be operator-specific) with the hostname check left on; do not fall back to the system default trust store alone.

Defender's Checklist

  • Update epa4all-client to 1.2.2 or later.

    All versions before 1.2.2 are affected. The fix is pull request #36.

  • Confirm trustAllServers() is gone from the production path.

    Check that the production entry point no longer calls .trustAllServers() and that NaiveTrustManager is not installed. The method behind it is Javadoc-marked not for production.

  • Verify the hostname check is on.

    Confirm setDisableCNCheck(true) is removed so the Konnektor certificate's CN/SAN must match the expected hostname.

  • Validate against the correct trust anchor.

    The Konnektor certificate must chain to its appropriate CA. Bind that trust store to the connection rather than disabling validation; a self-signed or operator-specific Konnektor certificate is handled with a dedicated trust store, not a trust-all manager.

Severity Reasoning

AV:AThe attacker must sit on the network segment between the ePA service and the Konnektor, an adjacent-network position such as the facility LAN or a VPN transit hop.AC:LAny self-signed certificate is accepted; no timing or environmental conditions.PR:NNo credentials required beyond the network position.UI:NThe REST service opens the Konnektor connection on its own; no user interaction.S:UImpact is bounded to the SOAP traffic between the service and the Konnektor.C:HPlaintext access to KVNRs, SMC-B operations, document content, and credentials on the intercepted connection.I:HThe attacker can modify SOAP requests and responses in both directions, including signing operations and document content.A:NNo availability impact.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero
View Full Team Profiles

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.

Get in TouchLearn More About Our Services