Skip to main content

Serious Java vulnerability lets hackers masquerade as anyone they please

Oracle has patched a nasty vulnerability in the Java framework, the severity of which cannot be overstated, security experts say.

Tracked as CVE-2022-21449, the flaw was found in the company’s Elliptic Curve Digital Signature Algorithm (ECDSA) for Java 15 and newer. It allows threat actors to fake TSL certificates and signatures, two-factor authentication codes, authorization credentials and the like. 

As explained by ArsTechnica, ECDSA is an algorithm that digitally authenticates messages. As it generates keys, it’s often used in standards such as FIDO’s two-factor authentication, the Security Assertion Markup Language, OpenID, and JSON. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Forging SSL certificates and handshakes

The vulnerability was first discovered by Neil Madden of ForgeRock, who compared the exploit to the blank identity card from sci-fi series Doctor Who. In the series, the person looking at the ID card sees whatever the holder wants them to see, despite the fact that the card is blank.

“It turns out that some recent releases of Java were vulnerable to a similar kind of trick, in the implementation of widely-used ECDSA signatures,” Madden explained. 

“If you are running one of the vulnerable versions then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. All using the digital equivalent of a blank piece of paper.”

The flaw has received an official severity score of 7.5/10, but Madden disagrees strongly with the assessment.

“It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU). For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs," he said.

Allegedly, only Java versions 15 and newer are affected, although Oracle also listed versions 7,8, and 11, as vulnerable. Still, all customers are urged to update their endpoints to the newest version.

Via ArsTechnica



Source: TechRadar

Popular posts from this blog

Review: The Teracube 2e is a more sustainable phone that you can afford

It just got easier to be green. If you know me or read my work here at AC, you know that I feel strongly about a few things when it comes to smartphones and consumer tech, and those things are not necessarily what some of my colleagues or others in the tech-sphere care about. You can have your 10x optical zoom cameras, folding phones, and 50W wireless charging devices all day, but I'm more interested in affordable to mid-range devices that last longer than you'd expect and which are at least trying to do environmental and social good. Sounds great, but it seems that it's harder to find this combination of features in a phone than the ultra-premium specced-out devices we typically talk about here on this website. That's why I was excited when I had the chance to write this Teracube 2e review. Teracube is a relatively new smartphone OEM based out of Redmond, WA, and founder Sharad Mittal's stated goal is to change the "disposable nature of the consumer ele

Google's new Guest Mode is like incognito mode for Google Assistant

Your interactions with Google Assistant will not be saved when Guest Mode is turned on. What you need to know Google Assistant is getting a new Guest Mode for privacy-conscious users. When it's turned on, the virtual assistant will not save any of its interactions with you. Turning it on and off is as simple as a single voice command. Google this week announced a new Guest Mode for its virtual assistant that's designed with privacy-conscious folks in mind. A simple "Hey Google, turn on Guest Mode" will ensure that none of your interactions with Google Assistant are collected by the company and nor will they be used to 'personalize your experience' — often an indirect way of referring to targeted ads. When it's on, the Assistant will play a special chime to let you know. Smart displays with Assistant will also show a guest icon on the screen. And you can always check for yourself by saying, "Hey Google, is Guest Mode on?" Even with G

Spotify Q1 beats on sales of $2B with monthly active users up 31% to 286M

The coronavirus may be decimating some corners of the economy, but the impact on the digital music, as evidenced by the world’s biggest music streaming company, appears to be minimal. Today Spotify reported its earnings for Q1 with revenues of €1.848 billion ($2 billion at today’s rates) and an inching into a positive net income of $1 million. Monthly active users (not total subscribers) now stand at 286 million, with paid (premium) users at 130 million and ad-supported monthly active users at 163 million. Ad-supported users are growing at a slightly higher rate at the moment, at 32% versus 31%, Spotify said. Spotify beat  analysts’ forecasts on both sales — they had on average been expecting revenues of $1.86 billion — and EPS, which had been forecast to be -$0.49 but came in at -$0.20 on a diluted basis and $0.00 undiluted. The numbers underscore the positive signals we’ve had from the wider industry. More generally, we have seen a huge boost in streaming media services — includ

Adobe is giving students and teachers free access to Creative Cloud

Your university's IT admin will need to make an application for access. What you need to know Adobe is temporarily making Creative Cloud free for teachers and students. The offer is aimed at enabling them to continue being productive as they work and study from home. Students cannot individually avail the promo, however, as the application for access needs to be made by a university's IT admin. As universities around the world shut their campuses and organizations ask their employees to work from home, many tech companies are making their products available to educational institutes free for use. Google and Microsoft have both made their large-scale communication and videoconferencing tools free for everyone, and now Adobe is temporarily giving free Creative Cloud access to students and teachers. The subscription, which usually costs $79.49 per month, will give affected students and teachers access to the entire range of Adobe's applications, such as Photoshop