Oracle has patched a nasty vulnerability in the Java framework, the severity of which cannot be overstated, according to security experts.
Tracked as CVE-2022-21449, the flaw was discovered in the company’s Elliptic Curve Digital Signature Algorithm (ECDSA) for Java 15 and later. It allows threat actors to forge TSL certificates and signatures, two-factor authentication codes, authorization credentials, and more.
As explained by Ars-Technica, ECDSA is an algorithm that digitally authenticates messages. Because it generates keys, it is often used in standards such as FIDO’s two-factor authentication, Security Assertion Markup Language, OpenID, and JSON.
Forging SSL certificates and handshakes
The vulnerability was first discovered by ForgeRock’s Neil Madden, who compared the exploit to the blank ID card in the sci-fi series Doctor Who. In the series, the person looking at the ID card sees everything the holder wants them to see, despite the card being blank.
“It turns out that some recent versions of Java were vulnerable to a similar kind of trick, in the implementation of widely used ECDSA signatures,” Madden explained.
“If you are running one of the vulnerable versions, an attacker can easily tamper with certain types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions, or security tokens. OIDC identification, and even WebAuthn authentication messages, all using the digital equivalent of a blank sheet of paper.
The flaw was given an official severity score of 7.5/10, but Madden strongly disagrees with the assessment.
“It’s hard to overstate the severity of this bug. If you use ECDSA signatures for any of these security mechanisms, an attacker can trivially and completely bypass them if your server is running Java version 15, 16, 17, or 18 before the critical patch update (CPU ) of April 2022. For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys use ECDSA signatures and many OIDC providers use ECDSA signed JWTs,” he said.
Apparently only Java versions 15 and newer are affected, although Oracle has also listed versions 7, 8, and 11 as vulnerable. However, all customers are encouraged to update their terminals to the most recent version.
Via Ars Technica