Bug 2075821 (CVE-2022-21449)

Summary: CVE-2022-21449 OpenJDK: Improper ECDSA signature verification (Libraries, 8277233)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ahughes, bernhard.schuhmann, chazlett, dbhole, dfitzmau, jdowland, jhuttana, jochrist, jvanek, nengard, neugens, pjindal, security-response-team, sraghupu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-28 23:45:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2073575, 2073576, 2073577, 2073578, 2073579    
Bug Blocks: 2073424    

Description Mauro Matteo Cascella 2022-04-15 13:58:01 UTC 
It was discovered that the Libraries component in OpenJDK failed to properly verify ECDSA (Elliptic Curve Digital Signature Algorithm) signatures. A remote attacker could use this flaw to make a Java application compute an invalid signature for arbitrary forged content, thus bypassing the signature verification process.
Comment 3 errata-xmlrpc 2022-04-20 13:28:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1445 https://access.redhat.com/errata/RHSA-2022:1445
Comment 4 Mauro Matteo Cascella 2022-04-20 13:29:42 UTC 
OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/2d4103a3d929e05edca98e7703e0869077966be7
Comment 5 Mauro Matteo Cascella 2022-04-20 15:26:27 UTC 
Oracle CPU April 2022:

https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA

Fixed in Oracle Java SE 7u341, 8u331, 11.0.15, 17.0.3, 18.0.1.
Comment 6 Mauro Matteo Cascella 2022-04-21 08:29:17 UTC 
This issue was found and responsibly disclosed to Oracle by ForgeRock. For a detailed description of the bug and possible consequences, see Neil Madden's blog post: https://neilmadden.blog/2022/04/19/psychic-signatures-in-java.
Comment 7 bernhard.schuhmann 2022-04-25 09:16:25 UTC 
Will the 17.0.3 release be picked up for EL7 automatically? Thanks in advance!
Comment 8 Jonathan Dowland 2022-04-26 09:14:47 UTC 
@bernhard.schuhmann We do not provide OpenJDK 17 as part of RHEL7.
Comment 9 bernhard.schuhmann 2022-04-26 13:44:40 UTC 
(In reply to Jonathan Dowland from comment #8)
> @bernhard.schuhmann We do not provide OpenJDK 17 as part of RHEL7.

@jdowland, I was referring to EPEL repository for CentOS 7, which provides OpenJDK 17.0.2. Wanted to ask if this version would get updated 'automatically' or what would be the process to ask for an update there?
Comment 10 errata-xmlrpc 2022-04-28 19:03:54 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.3

Via RHSA-2022:1436 https://access.redhat.com/errata/RHSA-2022:1436
Comment 11 errata-xmlrpc 2022-04-28 19:04:23 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.3

Via RHSA-2022:1437 https://access.redhat.com/errata/RHSA-2022:1437
Comment 12 Product Security DevOps Team 2022-04-28 23:45:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21449
Comment 13 errata-xmlrpc 2022-05-17 23:39:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:1729 https://access.redhat.com/errata/RHSA-2022:1729