Java ECDSA signature bug, CVE-2022-21449

A bit off topic, but figured it's PKI related and wanted to give a heads up for folks running services on Java 15 through 18.

If you are running one of the vulnerable versions then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. All using the digital equivalent of a blank piece of paper.

It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU). For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys*) use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs.


P.S EJBCA is safe because it's on java 8: mass revocation of EJBCA based CA would be major even in CA infractructure.


How "safe" can Java 8 really be thou?
[maybe it's not vulnerable to this particular CVE]


People are still using Java? :exploding_head:

/standard reply in every thread related to something Java related.

Ghe, it seems my laptop has OpenJDK 8 installed :rofl: I really have no idea about Java in general.. Seems to be a version from 2014. I also have OpenJDK 17.0.1 installed, which I probably should update to 17.0.2, although it seems that version is also affected..

Edit: ugh, the Java versioning is really terrible. They don't bump 17.0.2 to 17.0.3 I think, they use the "updates program"? I dunno? 17u+\d?
Reaaaaaaaally stupid unfathomable versioning in any case, I can't figure out where that "advisory" means with "unfathomable". WHICH release? I'll just have to trust my Gentoo maintainers they'll know to update the repository to.. whatever..

Or if anyone can highlight where I can find the "fixed" OpenJDK "release", that might be helpful too.


Clicking the "More information..." takes you to this page:
Free Java Update 8

1 Like

Unlike the rest of the software world, a newer version of Java will not automatically replace any previously installed version.
So, you could conceivably have every version of Java ever released installed in one system.
[security nightmare!]

That's "regular" Java for Windows it seems. Not OpenJDK for Linux :wink:

I just simply uninstalled OpenJDK 17. Be gone I tell ya! It seems I didn't need it, as no Gentoo packages currently are allowed to depend on Java 17 apparently, as Java 17 isn't supported (yet).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.