Patch critical cryptographic Java flaw "Psychic Signatures"

Apr 25, 2022 | Security Advisory

A few days ago, security researcher Neil Madden published a blog post, about a recently disclosed vulnerability in Java, CVE-2022-21449 named “Psychic Signatures”. Vulnerability initiates in an improper implementation of the ECDSA signature verification algorithm, introduced in Java 15 to 18.

Summary

This vulnerability initiates an improper implementation of the ECDSA signature verification algorithm allows an attacker to intercept communication such as SSL, and authentication processes. It has a CVSS of 7.5.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or Java applets, that executed untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs.

Mitigation

  • To mitigate this Java vulnerability, we recommend upgrading Java to the latest version for 17.03 or 18.0.1

  • Check the following ECDSA variations that should not be used in your java implementation

    NONEwithECDSA
SHA1withECDSA
SHA224withECDSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
SHA3-224withECDSA
SHA3-256withECDSA
SHA3-384withECDSA
SHA3-512withECDSA
NONEwithECDSAinP1363Format
SHA1withECDSAinP1363Format
SHA224withECDSAinP1363Format
SHA256withECDSAinP1363Format
SHA384withECDSAinP1363Format
SHA512withECDSAinP1363Format
SHA3-224withECDSAinP1363Format
SHA3-256withECDSAinP1363Format
SHA3-384withECDSAinP1363Format
SHA3-512withECDSAinP1363Format

  • We recommend using the EdDSA/Ed25519 signature algorithms

  • Any other variations of the RSA or DSA algorithms can be used

CVE-2022-21449 is a vulnerability in the implementation of the Elliptic Curve Digital Signature Algorithm, caused by an improper implementation of the signature verification algorithm.

Disclaimer

The information provided in the Arcane Security Advisory is provided "as is" without warranty of any kind. Arcane disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Arcane or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if Arcane or its suppliers have been advised of the possibility of such damages.

Tags: #java #security-advisory

Have questions? Let's talk

Arcane experts are ready to answer your questions

Back to top