A proof-of-concept (PoC) code demonstrating a recently disclosed digital signature bypass vulnerability in Java has been posted on the internet.
CVE-2022-21449 (CVSS score: 7.5) is a high-severity flaw that affects the following versions of Java SE and Oracle GraalVM Enterprise Edition:
* Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18
* Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2
The flaw is in Java’s implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA), which is a cryptographic mechanism for verifying the authenticity and the integrity of the contents.
In brief, the cryptographic flaw – dubbed Psychic Signatures in Java — allows to present a totally blank signature to be presented and yet be valid by the vulnerable implementation.
If the security vulnerability is successfully exploited, an attacker can be able to counterfeit signatures and bypass authentication measures put in place.
The proof-of-concept, published by security researcher Khaled Nassar, includes a vulnerable client and a malicious TLS server, with the former accepting an invalid signature from the server, effectively allowing the TLS handshake to proceed continue unimpeded.
ForgeRock researcher Neil Madden, who discovered and reported the flaw on November 11, 2021, said “It’s hard to overstate the severity of this bug,”
“If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version.”
Oracle fixed the security flaw in its quarterly April 2022 Critical Patch Update (CPU), which was released on April 19, 2022.
Organizations that use Java 15, Java 16, Java 17, or Java 18 in their environments should prioritize the patches in light of the release of the PoC to mitigate active exploitation attempts.