Recently, security researcher Khaled Nassar published the PoC code of the newly disclosed digital signature bypass vulnerability in Java on GitHub, which is tracked as CVE-2022-21449.
It is understood that the vulnerability was discovered in November last year by Neil Madden, a researcher at ForgeRock, a security consulting firm, who notified Oracle of the situation the same day.
Although Oracle gave the vulnerability a CVSS score of only 7.5, ForgeRock said they had privately disclosed the vulnerability when it was discovered and rated the vulnerability a CVSS of 10.
Madden explained, "It's hard to overstate the severity of this vulnerability. If ECDSA signing is used for any of these security mechanisms (SSL, JWT, WebAuthn) and your server is under the April 2022 Critical Patch Update ( CPUs) were running Java versions 15, 16, 17 or 18 before, and attackers could easily bypass them completely. Almost all WebAuthn/FIDO devices in the real world (including Yubikey) use ECDSA signatures, and many OIDC providers Use ECDSA signed JWT."
Additionally, information security expert Thomas Ptacek has described the vulnerability as the "crypto bug of the year."
The vulnerability, known as Psychic Signatures, is related to Java's implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) and exists in Java 15, 16, 17, 18 versions. An encryption mechanism used to digitally sign messages and data to verify the authenticity of the content, an attacker could exploit this vulnerability to forge TSL signatures and bypass authentication measures.
Nassar proved that setting up a malicious TLS server could trick a client into accepting an invalid signature from the server, effectively allowing the rest of TLS to proceed.
The vulnerability affects the following versions of Java SE and Oracle GraalVM Enterprise Edition:
- Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18
- Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2
At present, Oracle has fixed this vulnerability in the important patch update announcement, and calls on developers or enterprises using Java 15, 16, 17, and 18 to update as soon as possible.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。