Oracle Java SE Authentication Bypass Vulnerability (CVE-2022-21449)

Apr 26, 2022 GMT+08:00

I. Overview

Recently, Oracle officially released the critical patch update advisory for the second quarter of 2022, disclosing an authentication bypass vulnerability (CVE-2022-21449) in some later versions of Oracle Java SE. The Elliptic Curve Digital Signature Algorithm (ECDSA) in some later Java SE versions has defects, which allow attackers to forge certificates, signatures, and two-factor authentication to bypass authentication. Currently, the details of this vulnerability have been disclosed and the risk is high.

Java SE is the standard version of Java. It is used for desktop application development and is the basis of Java. If you are a Java SE user, check your versions and implement timely security hardening.

Reference:

https://www.oracle.com/security-alerts/cpuapr2022.html

https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Oracle Java SE 17.0.2

Oracle Java SE 18

Oracle GraalVM Enterprise Edition 21.3.1

Oracle GraalVM Enterprise Edition 22.0.0.2

IV. Vulnerability Handling

These vulnerabilities have been fixed in the official patch. Use a licensed account to log in to https://support.oracle.com and download the latest patch.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.