Java Digital Signature Bypass Vulnerability

Security researcher Khaled Nassar released a PoC code for a new digital signature bypass vulnerability, tracked as CVE-2022-21449 with CVSS score: 7.5 in Java.

An unauthenticated attacker with network access via multiple protocols can trigger the issue to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

The flaw impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition:

• Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18
• Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2

The vulnerability, dubbed Psychic Signatures, resides in Java’s implementation of the Elliptic Curve Digital Signature Algorithm. The flaw allows presenting a totally blank signature that is accepted as valid by the vulnerable implementation.

Successful exploitation of the flaw could permit an attacker to forge signatures and bypass auth measures put in place.

Researcher demonstrated that setting up a malicious TLS server could deceive a client into accepting an invalid signature from the server, effectively allowing the rest of the TLS handshake to continue.

This was reported to Oracle during November 2021 and Oracle addressed the issue with the release of the April 2022 Critical Patch Update (CPU).

Organizations that have deployed Java 15, Java 16, Java 17, or 18 in production should install the security updates immediately.