Java Psychic Signatures

high Web App Scanning Plugin ID 113242

Language:

Synopsis

Java Psychic Signatures

Description

Oracle Java SE versions 15, 17 and 18 and Oracle GraalVM Enterprise Edition versions 21.3.1 and 22.0.0.2 do not properly verify Ellipic Curve Digital Signature Algorithm (ECDSA) based signatures. By forcing the `r` and `s` components values of the signature to zero, an attacker could forge a valid signature for any message and public key which would be accepted by the vulnerable library or component version. Attackers could leverage this vulnerability to bypass any security mechanism relying on this algorithm and its Java implementation.

Solution

Apply Oracle Critical Patch Update from April 2022 on the vulnerable component.

See Also

https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

https://www.oracle.com/security-alerts/cpuapr2022.html

Plugin Details

Severity: High

ID: 113242

Type: remote

Family: Component Vulnerability

Published: 6/28/2022

Updated: 1/8/2024

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2022-21449

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: CVE-2022-21449

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2022-21449

CWE: 347

OWASP: 2010-A3, 2013-A2, 2013-A9, 2017-A2, 2017-A9, 2021-A2, 2021-A6

WASC: Insufficient Authentication

CAPEC: 463, 475

DISA STIG: APSC-DV-002440, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.10.1, 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10(5)

OWASP API: 2019-API2, 2023-API2

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-3.5.3

PCI-DSS: 3.2-6.2, 3.2-6.5.8