Serious Java vulnerability lets hackers masquerade as anyone they please

By Scott Marlette Last updated Apr 25, 2022

Oracle has patched a nasty vulnerability in the Java framework, the severity of which cannot be overstated, security experts say.

Tracked as CVE-2022-21449, the flaw was found in the company’s Elliptic Curve Digital Signature Algorithm (ECDSA) for Java 15 and newer. It allows threat actors to fake TSL certificates and signatures, two-factor authentication codes, authorization credentials and the like.

As explained by ArsTechnica, ECDSA is an algorithm that digitally authenticates messages. As it generates keys, it’s often used in standards such as FIDO’s two-factor authentication, the Security Assertion Markup Language, OpenID, and JSON.

Forging SSL certificates and handshakes

The vulnerability was first discovered by Neil Madden of ForgeRock, who compared the exploit to the blank identity card from sci-fi series Doctor Who. In the series, the person looking at the ID card sees whatever the holder wants them to see, despite the fact that the card is blank.

“It turns out that some recent releases of Java were vulnerable to a similar kind of trick, in the implementation of widely-used ECDSA signatures,” Madden explained.

“If you are running one of the vulnerable versions then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. All using the digital equivalent of a blank piece of paper.”

The flaw has received an official severity score of 7.5/10, but Madden disagrees strongly with the assessment.

“It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU). For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs,” he said.

Allegedly, only Java versions 15 and newer are affected, although Oracle also listed versions 7,8, and 11, as vulnerable. Still, all customers are urged to update their endpoints to the newest version.

Via ArsTechnica

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.