Security News > 2022 > April > Researcher Releases PoC for Recent Java Cryptographic Vulnerability

Researcher Releases PoC for Recent Java Cryptographic Vulnerability
2022-04-22 22:41

A proof-of-concept code demonstrating a newly disclosed digital signature bypass vulnerability in Java has been shared online.

The high-severity flaw in question, CVE-2022-21449, impacts the following version of Java SE and Oracle GraalVM Enterprise Edition -.

The issue resides in Java's implementation of the Elliptic Curve Digital Signature Algorithm, a cryptographic mechanism to digitally sign messages and data for verifying the authenticity and the integrity of the contents.

In a nutshell, the cryptographic blunder - dubbed Psychic Signatures in Java - makes it possible to present a totally blank signature, which would still be perceived as valid by the vulnerable implementation.

"If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version."

In light of the release of the PoC, organizations that use Java 15, Java 16, Java 17, or Java 18 in their environments are recommended to prioritize the patches to mitigate active exploitation.


News URL

https://thehackernews.com/2022/04/researcher-releases-poc-for-recent-java.html