Bundled math in code issue created security trap

A mistake in the implementation of a particular cryptographic function in Java created a serious security shortcoming

A catastrophic vulnerability in the implementation of certain encryption operations in Java JDK makes it easy for attackers to forge counterfeit credentials.

The cryptographic weakness – which affects Java JDK versions 15 and later – was addressed by Oracle with an update released as part of its regular quarterly patch batch on Tuesday (April 19).

Both Oracle Java and OpenJDK need updating because of flaws that involve the implementation of widely-used ECDSA (Elliptic Curve Digital Signature Algorithm) signatures.

The whole problem stemmed from a coding error rather than a problem with the underlying encryption technology.

Catch up with the latest encryption-related news and analysis

Left unaddressed, the flaws make it possible for an attacker to forge some types of SSL certificates and handshakes – opening the door to manipulator in the middle attacks.

Signed JWTs, SAML assertions, WebAuthn authentication messages, and more can all be easily hacked because of the cryptographic blunder, security researcher Neil Madden warns.

“It’s hard to overstate the severity of this bug,” Wadden, a security architect at ForgeRock, explains in a technical blog post on the issue.

“If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU).”

Psychic paper

Java has supported ECDSA, a widely used standard for signing all kinds of digital documents, for some years. The mistake came with the rewrite of the EC code from native C++ code to Java as part of the Java 15 release, as Wadden explains.

Java’s implementation of ECDSA signature verification didn’t check if r or s [values related to an ECDSA signature] were zero, so you could produce a signature value in which they are both 0 (appropriately encoded) and Java would accept it as a valid signature for any message and for any public key. The digital equivalent of a blank ID card.

Wadden compares this blank ID card concept to the psychic paper in sci-fi series Doctor Who, which is used by the titular character to fool people into co-operating.

Fraught disclosure

Wadden and his colleagues at identity and access management firm ForgeRock discovered the flaw last November, at which point they reported it to Oracle and other Java developers. The subsequent disclosure process was less than ideal.

“I was disappointed in the disclosure process,” Wadden told The Daily Swig. “I reported to OpenJDK alias and then ended up in Oracle black hole.”

“To be fair, they did respond reasonably quickly to emails, but always with bare minimum response and I wasn’t given any details on the fix until it landed in the OpenJDK GitHub backport repos.”

Conflicting scores

In its release notes, Oracle grades the vulnerability with a CVSS score of only 7.5. ForgeRock, by contrast, rates the vulnerability’s score as 10.

According to Wadden, the industry dodged a bullet. “I’m surprised it [wasn’t] found and exploited, but maybe that says more about how entrenched Java 8 still is!”

“Most people consider public key signature schemes to be super-secure, but in reality, these kind of implementation bugs are not uncommon.

“For me, one of the most disturbing aspects of looking at this was realising how the WebAuthn/FIDO [Fast Identity Online – an authentication technology] ecosystem is basically a monoculture around ECDSA P-256 signatures at this point,” Wadden concluded.

Assessment of the seriousness of the bug was backed up by industry luminary Thomas H Ptacek who described it on Twitter as the “crypto bug of the year”.

DON’T MISS Git security vulnerabilities prompt updates