A critical flaw in the Java JDK’s handling of some encryption procedures makes it simple for attackers to create fake credentials. Oracle resolved the cryptographic flaw, which affects Java JDK versions 15 and later, with a patch distributed as part of its normal quarterly patch batch on Tuesday (April 19).

Because of problems in the implementation of commonly used ECDSA (Elliptic Curve Digital Signature Algorithm) signatures, both Oracle Java and OpenJDK need to be updated. The entire issue was caused by a coding error rather than a flaw in the encryption technique itself.

If left unaddressed, the issues allow an attacker to fabricate certain types of SSL certificates and handshakes, allowing for man-in-the-middle attacks. Because of the cryptographic error, security researcher Neil Madden warns that signed JWTs, SAML assertions, WebAuthn authentication messages, and more can all be readily stolen.

In a technical blog post about the defect, Wadden, a security architect at ForgeRock, said, “It’s hard to overestimate the severity of this bug.” “If your server is using any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU), an attacker can easily and totally bypass any of these security features.”

Psychic paper

Java has supported ECDSA, a widely used standard for signing all kinds of digital documents, for some years. According to Wadden, the error occurred when the EC code was rewritten from native C++ code to Java as part of the Java 15 release.

Because Java’s implementation of ECDSA signature verification didn’t verify if r or s [values relevant to an ECDSA signature] were zero, you could create a signature value with both 0 (appropriately encoded) and Java would accept it as a valid signature for any message and any public key.

A computerised version of a blank identification card. Wadden compares the blank ID card concept to the psychic paper employed by the eponymous character in the science fiction series Doctor Who to dupe people into cooperating.

Fraught disclosure

Last November, Wadden and his colleagues at identity and access management company ForgeRock found the weakness and reported it to Oracle and other Java developers.

The method of disclosing the information that followed was less than ideal. Wadden told The Daily Swig, “I was unhappy with the disclosure procedure.” “I went to Oracle black hole after reporting to OpenJDK alias.”

“To be fair, they did react to emails rather promptly, but always with the bare minimum, and I wasn’t provided any specifics on the remedy until it landed in the OpenJDK GitHub backport repos,” says the author.

Conflicting scores

Oracle only gives the vulnerability a CVSS score of 7.5 in its release notes. ForgeRock, on the other hand, assigns a score of 10 to the vulnerability.

According to Wadden, the industry dodged a bullet. “I’m amazed it wasn’t discovered and abused, but perhaps it just goes to show how entrenched Java 8 is!” “Most people believe that public key signature methods are extremely secure, yet implementation flaws like these are relatively uncommon.”

“One of the most concerning things of looking at this for me was realising how the WebAuthn/FIDO [Fast Identity Online – an authentication solution] ecosystem is virtually a monoculture around ECDSA P-256 signatures at this point,” Wadden added. Thomas H Ptacek, a well-known industry figure, backed up the severity of the flaw by calling it the “crypto bug of the year” on Twitter.