Apr 22, 2022
A proof-of-concept (PoC) code demonstrating a newly disclosed digital signature bypass vulnerability in Java has been shared online. The high-severity flaw in question, CVE-2022-21449 (CVSS score: 7.5), impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition - Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18 Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 The issue resides in Java's implementation of the Elliptic Curve Digital Signature Algorithm ( ECDSA ), a cryptographic mechanism to digitally sign messages and data for verifying the authenticity and the integrity of the contents. In a nutshell, the cryptographic blunder — dubbed Psychic Signatures in Java — makes it possible to present a totally blank signature, which would still be perceived as valid by the vulnerable implementation. Successful exploitation of the flaw could permit an attacker to forge signatures and bypass authentication measures put in place. The PoC,