Major “Psychic Paper” Security Flaw Patched in Java

Neil Madden reports, “CVE-2022-21449: Psychic Signatures in Java”:

The long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to get out of trouble by showing an identity card which is actually completely blank. Of course, this being Doctor Who, the card is really made out of a special “psychic paper“, which causes the person looking at it to see whatever the Doctor wants them to see: a security pass, a warrant, or whatever.

It turns out that some recent releases of Java were vulnerable to a similar kind of trick, in the implementation of widely-used ECDSA signatures. If you are running one of the vulnerable versions then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. All using the digital equivalent of a blank piece of paper.

It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU). For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys*) use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs.

A detailed analysis of the flaw and how it might be exploited are in the linked post. The U.S. National Institute of Standards and Technology has posted CVE-2022-21449 in the National Vulnerability Database, rating its severity as “7.5, High”.

If your computer or network uses any software based on Java, be sure to install an update including the patch for this vulnerability.

I am not very sure, who still in IT world take this kind of security issue seriously.

Since the NSA backdoors in generating the RSA keys and also recently the SunBurst attack, I don’t see any “security” at all here. Either, the people have to remove the server from public network and secure it on local network or there is no “confidential” data. Also, when they can “hack” Defense Secretary of UK to tell secret military information to anyone over phone, it’s just joke. (Full Video by Vovan and Lexus Pranking UK Secretary of State for Defence Ben Wallace Giving Strategic Information)

If someone want’s really secure their data, use old fashion way via external drivers, USB disks, DVDs and keep this stuff locked with secured access via physical security and normal keys.

1 Like