Java’s Weak Cybersecurity Track Record Continues … This Time It’s A Breach of Trust

Java has always had a bit of a troubled security track record, and its framework has often been one of the top targets for malware and attackers. And a new one is as bad as it gets for trustworthiness. In fact, in the April 2022 Java Critical Patch Update (CPU), there were over 500 patches defined.

With the latest bug, Neil Madden reported a new vulnerability in the signing of ECDSA signatures, and where an adversary can bypass ECDSA signatures within Java 15, 16, 17 and 18 [here]:

The vulnerability has been announced as CVE-2022–21449 , and Oracle has been patching a range of Java versions. Unfortunately, Java updating is not the easiest to implement — especially on embedded systems — and it could mean that many systems go unpatched. The affected application areas include TLS tunnel, FIFO/Web Authentication and JWT (Java Web Tokens).

With ECDSA, we pass values of r and s, and where we check this with the hash of the message and a public key value. Neil found when these values are zero, the signature will be verified.