Java Suffers from Crypto Bug That Could Allow Attackers to Bypass Digital Signatures, Oracle Releases Fix

Java versions 15 and above carry a flaw in the implementation of its Elliptic Curve Digital Signature Algorithm (ECDSA) that could exploited by cybercriminals to digitally sign files by forging some types of Secure Sockets Layer (SSL) certificates, signed JSON Web Tokens (JWTs), and even two-factor authentication messages. The issue was first discovered last year and was reported to Oracle, which eventually patched it last week. However, since organisations take time to update their systems with the latest releases, any device that uses the affected Java versions for consuming digitally-signed data could be at risk.

Oracle patched the issue, which is also called a blunder among the community, as a part of more than 500 fixes. The vulnerability is tracked as CVE-2022-21449.

Neil Madden, the researcher at security consultancy firm ForgeRock, found the security loophole and reported it to Oracle privately in November. Although the software company has given a severity rating of 7.5 out of 10 to the issue, experts including ForgeRock is considering it to be a flaw with the severity rating of 10 — "due to the wide range of impacts on different functionality" that could bring a large impact.

"If you are running one of the vulnerable versions then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. All using the digital equivalent of a blank piece of paper," Madden wrote in a blog post.

Cybercriminals and hackers could use the flaw to digitally sign a malicious app or file that could have a different set of implications for end consumers. It could allow attackers to ultimately gain backdoor access to systems or even hack a network using files and data that looks authentic and trustworthy.

Java uses ECDSA that is based on the principles of elliptic curve cryptography — one the known and widely adopted approaches to enable key agreement and digital signatures. The researcher found that the bug was introduced by a rewrite of the elliptic curve cryptography from native C++ to Java, which took place with the release of Java 15.

Digital signatures based on elliptic curve cryptography typically require users to prove to the recipients that they have access to the private key corresponding to the public key. This helps verify the authentication and allows users to gain access to the data. It also restricts users from presenting a digital signature for handshakes who don't have access to a relevant private key.

However, using the flaw, an attacker could use a blank signature that could be considered as valid and verified by the system against any public keys.

Madden calls these signatures similar to a "psychic paper" — the plot device that appeared on long-running sci-fi Doctor Who. It was essentially a completely blank paper but was designed to work as a security pass, warrant, or a proof on the basis of what the protagonist wants others to see.

"An ECDSA signature consists of two values, called r and s," the researcher said while explaining the flaw. "To verify an ECDSA signature, the verifier checks an equation involving r, s, the signer's public key, and a hash of the message. If the two sides of the equation are equal then the signature is valid, otherwise it is rejected."

The process involves a condition that the R and S in the calculation must not be a zero. It is, though, not the case with Java's implementation of the verification.

"Java's implementation of ECDSA signature verification didn't check if R or S were zero, so you could produce a signature value in which they are both 0 (appropriately encoded) and Java would accept it as a valid signature for any message and for any public key," Madden said.

Echoing the severity highlighted by Madden, security expert Thomas Ptacek said that the issue is the "crypto bug of the year."

Data security firm Sophos in a blog post also pointed out that the bug is not just impacting Java servers that are interacting with client software.

"Any device that consumes digitally-signed data inside your network could be at risk," it said.

The affected Java versions — Java 15 to 18 — are thankfully not as widely used as its previous releases. According to the data in a survey conducted between February and March 2021, cybersecurity firm Snyk said that Java 11 accounted for over 61 percent of total deployments, while Java 15 had a share of 12 percent.

Nevertheless, IT administrators and organisations are advised to quickly update their Java version to avoid instances of any future attacks.