CVE-2022-21449, a critical vulnerability (CVSS 7.5), affects the Java SE and Oracle GraalVM Enterprise Edition versions listed below:
- Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18
- Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2
Elliptic Curve Digital Signature Algorithm (ECDSA) is a cryptographic mechanism for digitally signing messages and data in order to verify their authenticity and integrity. The problem is in Java's implementation of ECDSA.
An implementation flaw is known as "Psychic Signatures in Java" makes it possible to present a completely blank signature, which the vulnerable implementation will still accept as valid.
An attacker who is able to successfully exploit the flaw will be able to forge signatures and circumvent the authentication measures in place.
TLS handshake can proceed unimpeded if the vulnerable client accepts an invalid signature from the malicious server, according to Khaled Nassar, a security researcher who published a proof of concept (PoC).
ForgeRock researcher Neil Madden, who discovered and reported the flaw on November 11, 2021, said, "It's hard to overstate the severity of this bug."
As long as your server is running Java 15, 16, 17, or 18 and you are using ECDSA signatures for any of these security mechanisms, an attacker can easily and completely bypass them.
On April 19, 2022, Oracle released its quarterly Critical Patch Update (CPU) to address the issue.
In light of the PoC's release, it is recommended that organizations that use Java 15, Java 16, Java 17, or Java 18 in their environments prioritize the patches in order to reduce active exploitation.
Post a Comment
Your suggestions and comments are welcome