Oracle has patched a nasty vulnerability in the Java framework, the severity of which cannot be overstated, security experts say.
Tracked as CVE-2022-21449, the flaw was found in the company’s Elliptic Curve Digital Signature Algorithm (ECDSA) for Java 15 and newer. It allows threat actors to fake TSL certificates and signatures, two-factor authentication codes, authorization credentials and the like.
As explained by ArsTechnica, ECDSA is an algorithm that digitally authenticates messages. As it generates keys, it’s often used in standards such as FIDO’s two-factor authentication, the Security Assertion Markup Language, OpenID, and JSON.
Forging SSL certificates and handshakes
The vulnerability was first discovered by Neil Madden of ForgeRock, who compared the exploit to the blank identity card from sci-fi series Doctor Who. In the series, the person looking at the ID card sees whatever the holder wants them to see, despite the fact that the card is blank.
“It turns out that some recent releases of Java were vulnerable to a similar kind of trick, in the implementation of widely-used ECDSA signatures,” Madden explained.
“If you are running one of the vulnerable versions then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. All using the digital equivalent of a blank piece of paper.”
The flaw has received an official severity score of 7.5/10, but Madden disagrees strongly with the assessment.
“It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU). For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs," he said.
Allegedly, only Java versions 15 and newer are affected, although Oracle also listed versions 7,8, and 11, as vulnerable. Still, all customers are urged to update their endpoints to the newest version.
April 27: Following the release of the article, PR Manager for Yubico, Ryan Schin, reached out to TechRadar Pro, saying the inclusion of YubiKeys in the article is misleading as there is no threat to YubiKeys themselves due to this vulnerability from Java.
"Yubico is aware of this issue and how it affects Oracle Java 15+ and OpenJDK, including other JDKs derived from OpenJDK," Yubico said in a statement. "This vulnerability is not in the YubiKey firmware or the WebAuthn protocol, and we recommend organizations and individuals patch their Java deployments. Yubico will continue to provide further guidance on best practices as appropriate in the future."
Via ArsTechnica
