www.belgium.be Logo of the federal government

Warning: Java affected by a vulnerability in the Elliptic Curve Digital Signature Algorithm (ECDSA) CVE-2022-21449 a.k.a. “Psychic Signatures”

Reference: 
Advisory #2022-009
Version: 
1.0
Affected software: 
Oracle Java SE: 15,16,17,18 version
Oracle GraalVM Enterprise Edition: 20, 21 22 version
Type: 
Improper implementation of a cryptographic algorithm
CVE/CVSS: 

CVE-2022-21449 (CVSS score: 7.5)

Date: 
25/04/2022

Risks

The objective of this alert is to raise awareness about a vulnerability in the Elliptic Curve Digital Signature Algorithm (ECDSA) signatures in Java 15, Java 16, Java 17, or Java 18 and Oracle GraalVM Enterprise Edition.

Successful exploitation of the flaw could allow an attacker to forge signatures and bypass authentication on a vulnerable system. The issue has been addressed in Oracle's quarterly April 2022 Critical Patch Update (CPU) released on April 19, 2022.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.

In case of an intrusion, you can report the incident via: https://cert.be/en/report-incident

Description

The vulnerability, catalogued as CVE-2022-21449, originates in an improper implementation of the ECDSA signature verification algorithm allowing an attacker to potentially intercept communication and messages that should have otherwise been encrypted, such as SSL handshakes, Electronic signatures, Authentication processes(JWT), SOA, ETC.

CVE-2022-21449 is a vulnerability in the implementation of the signature verification in the Elliptic Curve Digital Signature Algorithm. Effectively, it causes the nullification of the content its integrity, which is guaranteed by signatures using ECDSA to validate the integrity (SSL handshakes, signatures, certificates)

  • The signature validation algorithm uses a mathematical equation based on the signer public key, a hash of the message, and two values that are used in the ECDSA signature (r,s).
  • A signature is validated when both sides of the equation are equal.
  • The faulty implementation introduced in Java 15 doesn’t check that the r and s values in use are not 0, which is a prerequisite to ensure that the algorithm works.
  • If r and s are allowed to be zero, this may cause both sides of the equation that uses them for multiplication to be zeroed, thus creating a true statement 0 = 0.
  • In this case, the signature is valid, allowing an attacker with an empty signature (full of zeroes) to access content that should be encrypted

Recommended Actions

1. Scope

Create an inventory that includes all the software from your organisation and check per entry if it's vulnerable.

Vulnerable software: CVE-2022-21449 impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition

  • Oracle Java SE: 15,16,17,18 version
  • Oracle GraalVM Enterprise Edition: 20, 21 22 version

JFrog released a tool on its GitHub repository to perform a scan to determine whether your applications are vulnerable to CVE-2022-21449.

- JFrog: https://github.com/jfrog/jfrog-CVE-2022-21449

2. Mitigate
 
If upgrading Java isn't possible, The CCB recommends using the EdDSA or Ed25519 signature algorithms as an alternative.

Remark: If legacy support is needed – any other variation of the RSA or DSA algorithms can be used.  See the Java documentation for a list of the supported algorithms.

This is the list of ECDSA variations that should not be used:

  • NONEwithECDSA
  • SHA1withECDSA
  • SHA224withECDSA
  • SHA256withECDSA
  • SHA384withECDSA
  • SHA512withECDSA
  • SHA3-224withECDSA
  • SHA3-256withECDSA
  • SHA3-384withECDSA
  • SHA3-512withECDSA
  • NONEwithECDSAinP1363Format
  • SHA1withECDSAinP1363Format
  • SHA224withECDSAinP1363Format
  • SHA256withECDSAinP1363Format
  • SHA384withECDSAinP1363Format
  • SHA512withECDSAinP1363Format
  • SHA3-224withECDSAinP1363Format
  • SHA3-256withECDSAinP1363Format
  • SHA3-384withECDSAinP1363Format
  • SHA3-512withECDSAinP1363Format

3. Patch

The issue has been addressed in Oracle's quarterly April 2022 Critical Patch Update (CPU) released on April 19, 2022.
To prevent the library from being exploited, it's urgently recommended to patch vulnerable software

-    Patch : https://www.oracle.com/security-alerts/cpuapr2022.html

4. Monitor/Detect
 
The CCB advises organisations to upscale monitoring and detection capabilities, to detect any related suspicious activity, ensuring a fast response in case of an intrusion.