A side-channel vulnerability was discovered in the ECDSA implementation in the Security component of OpenJDK. This issue could possibly lead to a disclosure of the private key.
Further details can be found on pages of the Centre for Research on Cryptography and Security of Masaryk University in Brno (Czech republic):
The issue is branded as Minerva.
Patches applied to OpenJDK do not aim to address the problem in the EC implementation, but rather only disable affected EC curves in TLS by default. Note that use cases where affected curves are re-enabled for use in TLS, or uses outside TLS would still be affected.
The following note regarding this issue was included in the Oracle Java SE release notes:
➜ Remove Obsolete NIST EC Curves from the Default TLS Algorithms
This change removes obsolete NIST EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.
To re-enable these curves, use the jdk.tls.namedGroups system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:
java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1" ...
JDK-8228825 (not public)
The EC curves that were disabled via the patch for this issue were not enabled in OpenJDK builds as included in Red Hat products, and hence those OpenJDK builds were not affected.
Public via Oracle CPU October 2019:
Fixed in Oracle Java SE 13.0.1, 11.0.5, 8u231, and 7u241.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
OpenJDK-11 upstream commit:
OpenJDK-8 upstream commit: