CVE-2022-21449

Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 7u331, 8u321, 11.0.14, 17.0.2, 18 Oracle GraalVM Enterprise Edition versions 20.3.5, 21.3.1, 22.0.0.2

Description The issue is related to the implementation of the ECDSA digital signature algorithm in Oracle Java SE and Oracle GraalVM Enterprise Edition. It allows an unauthenticated attacker with network access via multiple protocols to compromise the system, resulting in unauthorized creation, deletion, or modification of critical data. The vulnerability can be exploited by using APIs in the specified component, and it applies to Java deployments that load and run untrusted code. The estimated number of potentially affected devices is not specified.

The vulnerability is caused by a flawed implementation of the ECDSA algorithm, which fails to check if the r and s values are zero. This allows an attacker to present a completely empty signature that will still be accepted as valid by the vulnerable implementation. Successful exploitation can lead to the bypass of signature validation, allowing an attacker to intercept and modify encrypted messages or bypass authentication in some cases.

Technical details about exploitation include the use of APIs in the specified component, such as through a web service that supplies data to the APIs. The checkPassword() function is not explicitly mentioned as vulnerable, but the issue is related to the validation of digital signatures.

Recommendations To resolve the issue for each affected version, update to the latest version of Java. Specifically: