Patch critical cryptographic Java flaw "Psychic Signatures"
Apr 25, 2022 | Security Advisory
A few days ago, security researcher Neil Madden published a blog post, about a recently disclosed vulnerability in Java, CVE-2022-21449 named “Psychic Signatures”. Vulnerability initiates in an improper implementation of the ECDSA signature verification algorithm, introduced in Java 15 to 18.
Summary
This vulnerability initiates an improper implementation of the ECDSA signature verification algorithm allows an attacker to intercept communication such as SSL, and authentication processes. It has a CVSS of 7.5.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or Java applets, that executed untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs.
Mitigation
To mitigate this Java vulnerability, we recommend upgrading Java to the latest version for 17.03 or 18.0.1
Check the following ECDSA variations that should not be used in your java implementation
NONEwithECDSA SHA1withECDSA SHA224withECDSA SHA256withECDSA SHA384withECDSA SHA512withECDSA SHA3-224withECDSA SHA3-256withECDSA SHA3-384withECDSA SHA3-512withECDSA NONEwithECDSAinP1363Format SHA1withECDSAinP1363Format SHA224withECDSAinP1363Format SHA256withECDSAinP1363Format SHA384withECDSAinP1363Format SHA512withECDSAinP1363Format SHA3-224withECDSAinP1363Format SHA3-256withECDSAinP1363Format SHA3-384withECDSAinP1363Format SHA3-512withECDSAinP1363Format
We recommend using the EdDSA/Ed25519 signature algorithms
Any other variations of the RSA or DSA algorithms can be used
CVE-2022-21449 is a vulnerability in the implementation of the Elliptic Curve Digital Signature Algorithm, caused by an improper implementation of the signature verification algorithm.
Disclaimer
The information provided in the Arcane Security Advisory is provided "as is" without warranty of any kind. Arcane disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Arcane or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if Arcane or its suppliers have been advised of the possibility of such damages.
Tags: #java #security-advisoryHave questions? Let's talk