A proof-of-concept (PoC) code demonstrating a newly disclosed digital signature bypass vulnerability in Java has been shared on-line.
- Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18
- Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 188.8.131.52
The challenge resides in Java’s implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA), a cryptographic mechanism to digitally signal messages and data for verifying the authenticity and the integrity of the contents.
In a nutshell, the cryptographic blunder — dubbed Psychic Signatures in Java — makes it doable to current a completely clean signature, which might nonetheless be perceived as legitimate by the susceptible implementation.
Successful exploitation of the flaw may allow an attacker to forge signatures and bypass authentication measures put in place.
The PoC, revealed by safety researcher, Khaled Nassar entails a susceptible shopper and a malicious TLS server, the previous of which accepts an invalid signature from the server, successfully permitting the TLS handshake to proceed unimpeded.
“It’s hard to overstate the severity of this bug,” ForgeRock researcher Neil Madden, who found and reported the flaw on November 11, 2021, stated.
“If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version.”
The challenge has since been addressed by Oracle as a part of its quarterly April 2022 Critical Patch Update (CPU) launched on April 19, 2022.
In gentle of the discharge of the PoC, organizations that use Java 15, Java 16, Java 17, or Java 18 of their environments are advisable to prioritize the patches to mitigate energetic exploitation.