Oracle Fixed A Java JDK Cryptographic Bug Allowing Credential Forgery

The tech firm Oracle has recently patched a severe cryptographic bug in Java JDK that could allow an attacker to forge credentials. The bug appeared due to a coding glitch and didn’t affect the encryption technology directly. Nonetheless, it could still lead to severe damages upon exploitation.

Java JDK Cryptographic Bug Fixed

Security researcher Neil Madden has recently shared a detailed post highlighting a cryptographic bug in Java JDK.

Specifically, the Java Development Kit (JDK) is Oracle’s Java technology distribution that facilitates the development and testing of Java-based programs.

Briefly, the bug existed in the Java implementation of the ECDSA sign verification. (Elliptic Curve Digital Signature Algorithm (ECDSA) encryption standard for signing digital documents.)

Describing the bug, the researcher stated,

Java’s implementation of ECDSA signature verification didn’t check if r or s were zero, so you could produce a signature value in which they are both 0 (appropriately encoded) and Java would accept it as a valid signature for any message and for any public key.

Whereas, ideally, both r and s should be >=1. So that’s where the problem existed.

The researcher noticed that the bug appeared with Java 15 due to erroneous rewriting of EC code from C++ to Java. So, the earlier Java versions with the native C++ code remained unaffected by this vulnerability. However, Java versions 15 to 18 remained vulnerable.

Following this discovery, the researcher reported the matter to Oracle, which then patched the flaw.

According to Oracle’s advisory, exploiting the bug required no user interaction and could allow remote exploitation. Describing the impact of this vulnerability, CVE-2022-21449 (CVSS 7.5), the bug description states,

Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

Oracle has fixed the vulnerability with the release of the latest JDK version and has also released the patch to the affected products with April updates.

Related posts

Microsoft Defender VPN Detects Unsafe WiFi Networks

Microsoft Makes Recall Opt-In While Improving Privacy

Kia Dealer Portal Vulnerability Risked Millions of Cars