CVE-2021-43392

Name of the Vulnerable Software and Affected Versions STMicroelectronics STSAFE-J version 1.1.4 STMicroelectronics J-SAFE3 version 1.2.5 STMicroelectronics J-SIGN (affected versions not specified)

Description The issue is associated with the ECDSA signature algorithm on the Java Card J-SAFE3 and STSAFE-J platforms, which exposes a 3.0.4 Java Card API. This allows attackers to obtain information on cryptographic secrets. It is exploitable for STSAFE-J in closed configuration and J-SIGN when signature verification is activated, but not for J-SAFE3 EPASS BAC and EAC products. The issue might also impact other products based on the J-SAFE-3 Java Card platform.

Recommendations For STMicroelectronics STSAFE-J version 1.1.4, consider disabling the ECDSA signature algorithm until a patch is available. For STMicroelectronics J-SAFE3 version 1.2.5, restrict access to the Java Card API to minimize the risk of exploitation. For STMicroelectronics J-SIGN, avoid using the signature verification feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.