Risk Rating: HIGH  

Affected Product: Java SE & Oracle GraalVM Enterprise Edition product of Oracle Java SE 

Affected Version: Versions 15, 16, 17 & 18, Oracle GraalVM Enterprise Edition: 21.3.1 & 22.0.0.2 

Patched Version: April 2022 Critical Patch Update  

Vendor: Oracle  

Date of Disclosure: 19.04.2022 

Introduction:

A vulnerability exists within the implementation of ECDSA cryptographic signatures of all recent releases of Java, this vulnerability can result in a significant impact on the confidentiality and integrity of cryptographic communications and could potentially result in an attacker being able to bypass authentication mechanisms completely. 

It should be noted that the vendor and the team responsible for the disclosure of the vulnerability (forge rock) have assigned separate risk ratings. The vendor defines the impact on the confidentiality, integrity and availability (CIA) of information as HIGH. Whereas the ForgeRock team defines the impact on CIA of information as CRITICAL. 

Impact:

An unauthenticated remote attacker with network access can abuse this vulnerability to forge certain types of SSL/TLS certificates and handshakes, which would allow interception and modification of communications.  

They can also potentially forge signed JWT’s (JSON web tokens), SAML assertions, OIDC ID tokens and WebAuthn authentication messages. This essentially negates the confidentiality and integrity of information exchanged over an SSL/TLS connection. 

It should be noted that this vulnerability can also be exploited by using APIs in specific components, i.e. through a web service which supplies data to the APIs. Furthermore, sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code are also vulnerable. Unless they rely on other security controls in addition to sandboxing. 

Remediation(s):

Apply the CRITICAL Patch for April 2022 to remediate this vulnerability, the link to the official oracle advisory with instructions for applying the patch has been included in the links and resources section. This patch should be applied to all systems running the vulnerable versions listed in the advisory. 

Whilst the vulnerability is not stated to affect versions which predate Java 15, it is highly recommended to update to the latest version of Java, to ensure systems running Java in your production environment receive the latest maintenance and security patches from the vendor. 

Links & Resources:

• https://www.oracle.com/security-alerts/cpuapr2022.html 
• https://backstage.forgerock.com/knowledge/kb/article/a90257583  
• https://nvd.nist.gov/vuln/detail/CVE-2022-21449 
• https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/ 
• https://github.com/jfrog/jfrog-CVE-2022-21449