Oracle has patched a vulnerability that resides in the ECDSA (Elliptic Curve Digital Signature Algorithm) signature mechanism that could allow an attacker to forge certificates, signatures, WebAuthn authentication messages, and bypass other authentication mechanisms.
The vulnerability, which is now tracked as (CVE-2022-21449) was discovered by ForgeRock security researcher Neil Madden, is as serious as they come for cryptographic bugs and it affects Java versions 7, 8, 11, 15,16, 17, and 18.
“It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU). For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys) use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs,” Madden says.
ECDSA is the elliptic curve digital signature algorithm and it is used in a wide range of applications and cryptographic libraries. In practice, a signature generated by ECDSA comprises two values, r and s. Verifying the signature involves checking an equation including r, s, a hash of the message, and the signer’s public key. A valid signature is one in which both sides of the equation are equal.
Madden points out that the affected versions of Java ECDSA implementation do not check whether r and s are each greater than zero. So an attacker could generate a signature in which both values are zero, and a vulnerable version of Java would take it as a valid signature for any message, using any public key.
About ECDSA signature
ECDSA stands for the Elliptic Curve Digital Signature Algorithm, and it is a widely used standard for signing all kinds of digital documents. Compared to the older RSA standard, elliptic curve keys and signatures tend to be much smaller for equivalent security, resulting in them being widely used in cases where size is at a premium.
While Oracle only assigned the bug 7.5 (high rated) under the Common Vulnerability Scoring System, ForgeRock disagreed, rating it 10.0 “due to the wide range of impacts on different functionality in an access management context”.
The researcher strongly encouraged any organizations running vulnerable versions to update to the fixed releases, which Oracle published on Tuesday.
iTnews reported that Yubico has confirmed that their product is not affected by this issue.
“Yubico is aware of this issue and how it affects Oracle Java 15+ and OpenJDK, including other JDKs derived from OpenJDK," the company said.
At the time of writing, we have seen a couple of POC released on GitHub. One is from JFrog, who released a tool that allows performing a quick scan of compiled code archives (.jar, .war, etc) in order to check for vulnerability to CVE-2022-21449 by looking for the string indicating the use of the ECDSA algorithm. Another Proof of Concept demonstrates CVE-2022-21449) usage with a vulnerable client and a malicious TLS server.