Psychic Signatures Vulnerability in Java (CVE-2022-21449)

April 21, 2022

Summary

A significant vulnerability has been discovered in Oracle Java SE, Oracle GraalVM Enterprise Edition, and OpenJDK. Due to a flaw in Java’s ECDSA cryptographic library, unauthenticated adversaries can compromise Java deployments over the network using multiple protocols. This is possible because adversaries can forge a wide range of credentials, certificates, signatures, and other authentication messages due to the cryptographic flaw. [1] [2]This vulnerability applies to Java deployments, typically in clients running Java Web Start applications and sandboxed Java applets. The vulnerability can also be exploited using APIs through web services that utilize the vulnerable component. [4]

Impact

If you are running one of the vulnerable versions of Java then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. Other attack vectors are likely to be discovered. [2]

Vulnerable

  • Oracle Java 7, 8, 11, 15, 16, 17, and 18
  • Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, and 22.0.0.2
  • OpenJDK 15, 17, and 18

Recommendations

While CVE-2022-21449 has been rated as CVSS 7.5, the impact is still being understood and likely to be more critical due to its effects on a wide range of protocols and Java deployments. 

If you have vulnerable versions of Java deployed, ISO is advising that you upgrade to a patched version immediately. Please review the Oracle, RedHat, and OpenJDK advisories linked below. 

References

[1] https://arstechnica.com/information-technology/2022/04/major-crypto-blun...

[2] https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

[3] https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA

[4] https://access.redhat.com/security/cve/cve-2022-21449

[5] https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19