Are you using Java 15/16/17 or 18 in production? Patch them now!

Pierluigi Paganini April 23, 2022

A researcher has released proof-of-concept (PoC) code for a digital signature bypass vulnerability in Java.

Security researcher Khaled Nassar released a proof-of-concept (PoC) code for a new digital signature bypass vulnerability, tracked as CVE-2022-21449 (CVSS score: 7.5), in Java.

The vulnerability was discovered by ForgeRock researcher Neil Madden, who notified Oracle on November 11, 2021.

An unauthenticated attacker with network access via multiple protocols can trigger the issue to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

The flaw impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition:

  • Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18
  • Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1,

The vulnerability, dubbed Psychic Signatures, resides in Java’s implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA).

The flaw allows presenting a totally blank signature that is accepted as valid by the vulnerable implementation.

Successful exploitation of the flaw could permit an attacker to forge signatures and bypass authentication measures put in place.

Nassar demonstrated that setting up a malicious TLS server could deceive a client into accepting an invalid signature from the server, effectively allowing the rest of the TLS handshake to continue.

Oracle addressed the issue with the release of the April 2022 Critical Patch Update (CPU).

Organizations that have deployed Java 15, Java 16, Java 17, or 18 in production should install the security updates immediately.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(Security Affair hacking, cryptography)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment