Recently, Oracle officially released the Oracle Critical Patch Update Advisory – April 2022 and disclosed an authentication bypass vulnerability (CVE-2022-21449) in a specific high version of Oracle Java SE. ECDSA is an Elliptic Curve Digital Signature Algorithm. The ECDSA signature verification mechanism in specific Java SE versions is flawed. Attackers can fake certificates, signatures, two-factor authentication and other authorization credentials to bypass identity authentication.
Vulnerability Detail
Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
Affected version
- Oracle Java SE 17.0.2
- Oracle Java SE 18
- Oracle GraalVM Enterprise Edition 21.3.1
- Oracle GraalVM Enterprise Edition 22.0.0.2
Solution
The official security patch update has been released. The user is required to hold a licensed account of the genuine software, go to https://support.oracle.com, and login. After that, download the latest patch.
