Security news that informs and inspires

Java Crypto Bug Allows Forging of Signatures, Certificates

Many versions of Java include a vulnerability in the implementation of the ECDSA signature mechanism that could allow an attacker to forge certificates, signatures, WebAuthn authentication messages, and bypass other authentication mechanisms.

The vulnerability (CVE-2022-21449) is as serious as they come for cryptographic bugs and it affects Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2. The researcher who discovered the bug encouraged any organizations running vulnerable versions to update to the fixed releases, which Oracle published on Tuesday.

“It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU). For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys) use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs,” a post by researcher Neil Madden of ForgeRock, who discovered the flaw, says.

“If you have deployed Java 15, Java 16, Java 17, or Java 18 in production then you should stop what you are doing and immediately update to install the fixes.”

ECDSA is the elliptic curve digital signature algorithm and it is used in a wide range of applications and cryptographic libraries. In practice, a signature generated by ECDSA comprises two values, r and s. Verifying the signature involves checking an equation including r, s, a hash of the message, and the signer’s public key. A valid signature is one in which both sides of the equation are equal.

“One side of the equation is r and the other side is multiplied by r and a value derived from s. So it would obviously be a really bad thing if r and s were both 0, because then you’d be checking that 0 = 0 ⨉ [a bunch of stuff], which will be true regardless of the value of [a bunch of stuff]! And that bunch of stuff is the important bits like the message and the public key. This is why the very first check in the ECDSA verification algorithm is to ensure that rand s are both >= 1,” Madden said.

However, the Java ECDSA implementation does not check whether r and s are each greater than zero. So an attacker could generate a signature in which both values are zero, and a vulnerable version of Java would take it as a valid signature for any message, using any public key. The bug was introduced in Java 15, which was released in September 2020.

“In general, cryptographic code is very tricky to implement correctly and public key signature algorithms are some of the trickiest. ECDSA is itself one of the most fragile algorithms, where even a tiny amount of bias in one random value can allow complete recovery of your private key,” Madden said.

Oracle has released fixed versions of all of the known-vulnerable Java versions as part of the April critical patch update. Organizations that have implemented vulnerable versions should upgrade to the patched releases as soon as is practicable.