LAST UPDATED Apr 28, 2022
Earlier this week, the ThreatX SOC deployed a rule to protect our client base from a newly discovered vulnerability in Java – CVE-2022-21449, known as “Psychic Signatures.” This rule detects and blocks attempts to use an empty signature for JWT-based authorization.
What Is Psychic Signatures
CVE-2022-21449 (“Psychic Signatures”) in Java is a vulnerability that impacts ECDSA signatures in Java versions 15 to 18. Although just discovered on April 19, 2022, the bug was introduced in Java version 15 when cryptographic libraries formerly written in native C++ were rewritten in Java. The vulnerability stems from the lack of a simple check to verify that values within the ECDSA equation are non-zero. Without this check an attacker may be able to bypass authentication entirely. Oracle released fixes for this issue for supported Java versions 17 and 18.
How Dangerous Is It
Classified by the NVD as high severity, this vulnerability allows a malicious server to forge SSL certificates and handshakes, compromising integrity in cases where ECDSA signatures are used for validation. It also impacts signed JWTs, SAML assertions, OIDC id tokens, and WebAuthn authentication messages when ECDSA signatures are used.
With this vulnerability, a malicious actor could use a null signature to obtain improper verification by setting values to zero. Ultimately, it compromises any security mechanism that relies on the Java implementation of ECDSA signatures.
How to Respond
If you are running Java versions 15 or later, make sure to apply the latest security updates released by Oracle.
For More Details
From the NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-21449
From Oracle: https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA
Contact ThreatX: https://www.threatx.com/contact-us/