Threat Response: Vulnerability in Java implementation of ECDSA

21-04-2022

On Tuesday 19 April, information regarding a vulnerability in the implementation of the cryptographic protocol ECDSA (Elliptic Curve Digital Signature Algorithm) in several Java versions arose [1]. In this message, we want to inform you about the threat and the possible mitigations.

Description

Digital signatures are used all over the internet, as they are used to validate the integrity of shared documents and webpages. For example, when browsing to a secured website (HTTPS), a certificate is used to convey the integrity of the webpage. This certificate is validated by checking whether the signature is valid. To do so, a Digital Signature Algorithm is used.

The vulnerability, tracked by CVE-2022-21449, causes invalid signatures to be accepted as valid by the Java Application. Certificate-based authentication of any application using ECDSA signatures can therefore be bypassed when the vulnerable Java versions are running, meaning unauthorised access to data in the application is possible. ECDSA-based signatures are also used widely in other forms of authentication protocols (JSON Webtokens – JWT, SAML, WebAuthn providers).

At least the following Java (JDK/JRE) versions are affected:

  • Java 15
  • Java 16
  • Java 17
  • Java 18

For OpenJDK, different versions (15, 17, 18) are listed [2]. Furthermore, Oracle also mentioned Java 7, 8 and 11 to be vulnerable [3]. Please make sure to refer to the official channels of Oracle and OpenJDK for any updates regarding vulnerable versions.

Background

In the case of ECDSA, the notion of elliptic curve cryptography is used to generate and validate a signature. A signature in ECDSA is represented by two values, (r, s). Using these values, and information presented about the curve used, the receiver can verify whether the signature is valid.

As the calculation is based on multiplication, the combination (r=0, s=0) should not be used, as this would always yield an equal result (0 = 0 x [anything]). However, this check is missing in the current implementations of ECDSA in Java, causing a vulnerability when validating signatures.

Impact

The vulnerability leads to a state in which signatures with the pair (r, s) = (0, 0) are accepted as valid signatures in any case. This means that any message or data signed using this signature pair is accepted by applications running the affected Java versions. Aside from bypassing certificate-based authentication mechanisms, an attacker could perform a man-in-the-middle attack by forging a valid signature for another webpage. This has implications on both confidentiality and integrity of data and could be misused to steal credentials.

As this type of signature is used widely and Java-based applications are common, this vulnerability has been classified by us as having high impact.

Risk

As signatures are the foundation in the trust chain used to verify identities, a vulnerability in signature algorithms has far-stretching consequences. Although certain attack vectors have been provided above, there might be other ways for an attacker to exploit the vulnerability. Most of these can be performed remotely without authentication (or even bypassing active authentication measures), causing unauthorised access to potentially confidential data. Therefore, we deem this vulnerability to be high risk.

Mitigation

Updates have been made available by Oracle and OpenJDK to fix the vulnerability [2][3].

Alternatively, the BouncyCastle provider [4] for cryptographic functions may be used for the Java Virtual Machine (JVM). You will need to update the java.security file to use this mitigation. For more details, refer to the installation guide [5].

What should you do?

Make sure to install the available patches mentioned above as soon as possible. Please be aware that applications from third parties might be vulnerable too when running on Java. For third-party applications, refer to the vendor of the application for any updates regarding this vulnerability.

Other vulnerabilities in Java have been fixed in the updates too, so make sure to patch as always, even if you do not make use of the affected functionality.

What will Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. You can call us by phone or send us an email if you would like additional information.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

[2]: https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19

[3]: https://www.oracle.com/security-alerts/cpuapr2022.html

[4]: https://www.bouncycastle.org/java.html

[5]: https://github.com/bcgit/bc-java/wiki/Provider-Installation

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.