PoC for recent Java Cryptographic vulnerabilities has been shared online that demonstrates a newly disclosed digital signature bypass vulnerability in Java.
- Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18
- Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 188.8.131.52
The flaw resides in Java’s implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA). A cryptographic mechanism is used to digitally sign messages and data to verify the authenticity and integrity of the contents.
The cryptographic error, dubbed Psychic Signatures in Java, enables it to present a totally blank signature that can be perceived as valid by the vulnerable implementation. The bad actors can be able to forge signatures and bypass authentication measures put in place to successfully exploit the flaw.
Khaled Nassar, a researcher published the PoC which mentions a vulnerable client and a malicious TLS server. Here the victim accepts an invalid signature from the server, effectively allowing the TLS handshake to continue unimpeded.
ForgeRock researcher Neil Madden, who discovered and reported the flaw on November 11, 2021, said, “It’s hard to overstate the severity of this bug,” ForgeRock researcher Neil Madden, who discovered and reported the flaw on November 11, 2021. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version.”
Oracle has addressed the issue since then as part of its quarterly April 2022 Critical Patch Update (CPU) released on April 19, 2022.
Users are advised to prioritize the patches to mitigate active exploitation, especially those using Java 15, Java 16, Java 17, or Java 18 in their environments in the light of the PoC release.
Amazon’s Hotpatch for Log4j Flaw Vulnerable to Privilege Escalation Bug
New Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops
10 Tips for People Using Personal IT to Work From Home