Are you using Java 15/16/17 or 18 in production? Patch them now!

April 23, 2022  By Pierluigi Paganini


A researcher has released proof-of-concept (PoC) code for a digital signature bypass vulnerability in Java.

Security researcher Khaled Nassar released a proof-of-concept (PoC) code for a new digital signature bypass vulnerability, tracked as CVE-2022-21449 (CVSS score: 7.5), in Java.

The vulnerability was discovered by ForgeRock researcher Neil Madden, who notified Oracle on November 11, 2021.

An unauthenticated attacker with network access via multiple protocols can trigger the issue to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

The flaw impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition:

  • Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18
  • Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2

The vulnerability, dubbed Psychic Signatures, resides in Java’s implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA).

The flaw allows presenting a totally blank signature that is accepted as valid by the vulnerable implementation.

Successful exploitation of the flaw could permit an attacker to forge signatures and bypass authentication measures put in place.

Nassar demonstrated that setting up a malicious TLS server could deceive a client into accepting an invalid signature from the server, effectively allowing the rest of the TLS handshake to continue.

Oracle addressed the issue with the release of the April 2022 Critical Patch Update (CPU).

Organizations that have deployed Java 15, Java 16, Java 17, or 18 in production should install the security updates immediately.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(Security Affair hacking, cryptography)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Phishing attacks using the topic "Azovstal" targets entities in Ukraine

 Ukraine CERT-UA warns of phishing attacks on state organizations of Ukraine using the topic "Azovstal" and Cobalt Strike...