Java version 15 and above has a flaw in its implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA), which allows cybercriminals to forge certain types of Secure Sockets Layer (SSL) certificates, signed JSON Web Tokens (JWTs) Could exploit to sign files digitally. , and even two-factor authentication messages. The issue was first discovered last year and was reported to Oracle, which finally patched it last week. However, since organizations take time to update their systems with the latest releases, any device that uses affected Java versions to consume digitally signed data could be at risk.
Oracle resolved the issue, also known as a mistake among the community, as a part of over 500 reforms, have vulnerability tracked as CVE-2022-21449.
Security vulnerabilities discovered and reported by researcher Neil Madden of security consulting firm ForgeRock Oracle Privately in November. Although the software company has given the issue a severity rating of 7.5 out of 10, experts including ForgeRock consider it a defect. 10. severity rating of – “Due to the wide range of effects on different functionality” which can bring a big impact.
“If you’re running one of the vulnerable versions an attacker can easily steal some sort of SSL certificate and handshake (allowing interception and modification of communication), signed JWTs, SAML assertions or OIDC ID tokens, and even that WebAuthn can also create authentication messages. Using all the digital equivalents of a blank piece of paper,” Madden wrote In a blog post.
Cybercriminals and hackers can use the flaw to digitally sign a malicious app or file, which can have different implications for end consumers. This could allow attackers to eventually gain backdoor access to systems or hack networks using files and data that appear to be authentic and trustworthy.
Java Uses ECDSA which is based on the principles of elliptic curve cryptography – a known and widely adopted approach to enable key agreements and digital signatures. The researcher found that the bug was introduced by a rewrite of elliptic curve cryptography from native C++ to Java, which coincided with the release of Java 15.
Digital signatures based on elliptic curve cryptography typically require users to prove to recipients that they have access to the private key corresponding to the public key. It helps to verify the authentication and allows users to gain access to the data. It also prohibits users who do not have access to the relevant private key to submit a digital signature for the handshake.
However, using the flaw, an attacker can use a blank signature that can be assumed to be valid and verified by the system against any public key.
Madden equates these signatures to “mental papers”—the plot device that appears on the long-running sci-fi doctor who, It was essentially a completely blank paper, but was designed to serve as a security pass, warrant, or a proof based on what the protagonist wants others to see.
“An ECDSA signature consists of two values, called r and s,” said the researcher, explaining the flaw. “To verify an ECDSA signature, the verifier checks the equation containing r, s, the signer’s public key, and the message’s hash. If both sides of the equation are equal then the signature is valid, otherwise it is rejected.” “
The procedure includes a condition that r and s must not be zero in the calculation. However, this is not the case with Java’s implementation of validation.
“Java’s implementation of ECDSA signature verification did not check whether r or s were null, so you can generate a signature value in which they are both 0 (appropriately encoded) and Java can convert it to any message and any message.” as a valid signature for the public key,” Madden said.
Echoing the seriousness highlighted by Madden, security expert Thomas Patasek said This issue is the “crypto bug of the year”.
data security firm sophos in a blog post Told That bug isn’t just affecting the Java servers that are interacting with the client software.
“Any device that consumes digitally signed data inside your network may be at risk,” it said.
The affected Java versions – Java 15 to 18 – have thankfully not been as widely used as its previous releases. According to the data of a survey conducted between February and March 2021, cyber security firm Snyk said Java 11 accounted for over 61 percent of the total deployment, while Java 15 accounted for 12 percent.
Nevertheless, IT administrators and organizations are advised to update their Java version quickly to avoid any future attack incidents.