Cryptographic flaw in ECDSA implementation in Java
The Elliptic Curve Digital Signature Algorithm (ECDSA), used in Java and Oracle to digitally sign messages and data to verify the authenticity and integrity of content, is vulnerable due to a signature verification flaw, which could allow malicious downloads to pass for benign content.
This cryptographic error, called Psychic Signatures, is caused by the lack of validation of the (R,S) values used by ECDSA, since if both values are (0,0), the verification would always be valid regardless of the rest of the values.
References:
- 19/04/2022 neilmadden.blog CVE-2022-21449: Psychic Signatures in Java
- 24/04/2022 unaaldia.hispasec.com ‘El error criptográfico del año’ es para Java
- 26/04/2022 media.cert.europa.eu Oracle Java SE RCE Vulnerability
- 21/04/2022 jfrog.com CVE-2022-21449 “Psychic Signatures”: Analyzing the New Java Crypto Vulnerability
- 21/04/2022 blog.ehcgroup.io FIRMAS DIGITALES «VACÍAS» EN JAVA (PARCHA CVE-2022-21449!)
- 20/04/2022 nakedsecurity.sophos.com Critical cryptographic Java security blunder patched – update now!
- 22/04/2022 thehackernews.com Researcher Releases PoC for Recent Java Cryptographic Vulnerability