Security researcher Khaled Nassar released a proof-of-concept (PoC) code for a new digital signature bypass vulnerability, tracked as CVE-2022-21449 (CVSS score: 7.5), in Java.
The vulnerability was discovered by ForgeRock researcher Neil Madden, who notified Oracle on November 11, 2021.
An unauthenticated attacker with network access via multiple protocols can trigger the issue to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
The flaw impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition:
The vulnerability, dubbed Psychic Signatures, resides in Java’s implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA).
The flaw allows presenting a totally blank signature that is accepted as valid by the vulnerable implementation.
Successful exploitation of the flaw could permit an attacker to forge signatures and bypass authentication measures put in place.
Nassar demonstrated that setting up a malicious TLS server could deceive a client into accepting an invalid signature from the server, effectively allowing the rest of the TLS handshake to continue.
Oracle addressed the issue with the release of the April 2022 Critical Patch Update (CPU).
Organizations that have deployed Java 15, Java 16, Java 17, or 18 in production should install the security updates immediately.
Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs hacking, cryptography)
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
This website uses cookies.