Oracle has patched a nasty vulnerability successful the Java framework, the severity of which cannot beryllium overstated, information experts say.
Tracked arsenic CVE-2022-21449, the flaw was recovered successful the company’s Elliptic Curve Digital Signature Algorithm (ECDSA) for Java 15 and newer. It allows menace actors to fake TSL certificates and signatures, two-factor authentication codes, authorization credentials and the like.
As explained by ArsTechnica, ECDSA is an algorithm that digitally authenticates messages. As it generates keys, it’s often utilized successful standards specified arsenic FIDO’s two-factor authentication, the Security Assertion Markup Language, OpenID, and JSON.
Forging SSL certificates and handshakes
The vulnerability was archetypal discovered by Neil Madden of ForgeRock, who compared the exploit to the blank individuality paper from sci-fi bid Doctor Who. In the series, the idiosyncratic looking astatine the ID paper sees immoderate the holder wants them to see, contempt the information that the paper is blank.
“It turns retired that immoderate caller releases of Java were susceptible to a akin benignant of trick, successful the implementation of widely-used ECDSA signatures,” Madden explained.
“If you are moving 1 of the susceptible versions past an attacker tin easy forge immoderate types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions oregon OIDC id tokens, and adjacent WebAuthn authentication messages. All utilizing the integer equivalent of a blank portion of paper.”
The flaw has received an authoritative severity people of 7.5/10, but Madden disagrees powerfully with the assessment.
“It’s hard to overstate the severity of this bug. If you are utilizing ECDSA signatures for immoderate of these information mechanisms, past an attacker tin trivially and wholly bypass them if your server is moving immoderate Java 15, 16, 17, oregon 18 mentation earlier the April 2022 Critical Patch Update (CPU). For context, astir each WebAuthn/FIDO devices successful the existent satellite (including Yubikeys usage ECDSA signatures and galore OIDC providers usage ECDSA-signed JWTs," helium said.
Allegedly, lone Java versions 15 and newer are affected, though Oracle besides listed versions 7,8, and 11, arsenic vulnerable. Still, each customers are urged to update their endpoints to the newest version.