Bug 2075821 (CVE-2022-21449) - CVE-2022-21449 OpenJDK: Improper ECDSA signature verification (Libraries, 8277233)
Summary: CVE-2022-21449 OpenJDK: Improper ECDSA signature verification (Libraries, 827...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-21449
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2073575 2073576 2073577 2073578 2073579
Blocks: 2073424
TreeView+ depends on / blocked
 
Reported: 2022-04-15 13:58 UTC by Mauro Matteo Cascella
Modified: 2022-05-17 23:39 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-28 23:45:15 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1436 0 None None None 2022-04-28 19:03:57 UTC
Red Hat Product Errata RHSA-2022:1437 0 None None None 2022-04-28 19:04:26 UTC
Red Hat Product Errata RHSA-2022:1445 0 None None None 2022-04-20 13:28:27 UTC
Red Hat Product Errata RHSA-2022:1729 0 None None None 2022-05-17 23:39:21 UTC

Description Mauro Matteo Cascella 2022-04-15 13:58:01 UTC
It was discovered that the Libraries component in OpenJDK failed to properly verify ECDSA (Elliptic Curve Digital Signature Algorithm) signatures. A remote attacker could use this flaw to make a Java application compute an invalid signature for arbitrary forged content, thus bypassing the signature verification process.

Comment 3 errata-xmlrpc 2022-04-20 13:28:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1445 https://access.redhat.com/errata/RHSA-2022:1445

Comment 4 Mauro Matteo Cascella 2022-04-20 13:29:42 UTC
OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/2d4103a3d929e05edca98e7703e0869077966be7

Comment 5 Mauro Matteo Cascella 2022-04-20 15:26:27 UTC
Oracle CPU April 2022:

https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA

Fixed in Oracle Java SE 7u341, 8u331, 11.0.15, 17.0.3, 18.0.1.

Comment 6 Mauro Matteo Cascella 2022-04-21 08:29:17 UTC
This issue was found and responsibly disclosed to Oracle by ForgeRock. For a detailed description of the bug and possible consequences, see Neil Madden's blog post: https://neilmadden.blog/2022/04/19/psychic-signatures-in-java.

Comment 7 bernhard.schuhmann 2022-04-25 09:16:25 UTC
Will the 17.0.3 release be picked up for EL7 automatically? Thanks in advance!

Comment 8 Jonathan Dowland 2022-04-26 09:14:47 UTC
@bernhard.schuhmann We do not provide OpenJDK 17 as part of RHEL7.

Comment 9 bernhard.schuhmann 2022-04-26 13:44:40 UTC
(In reply to Jonathan Dowland from comment #8)
> @bernhard.schuhmann We do not provide OpenJDK 17 as part of RHEL7.

@jdowland, I was referring to EPEL repository for CentOS 7, which provides OpenJDK 17.0.2. Wanted to ask if this version would get updated 'automatically' or what would be the process to ask for an update there?

Comment 10 errata-xmlrpc 2022-04-28 19:03:54 UTC
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.3

Via RHSA-2022:1436 https://access.redhat.com/errata/RHSA-2022:1436

Comment 11 errata-xmlrpc 2022-04-28 19:04:23 UTC
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.3

Via RHSA-2022:1437 https://access.redhat.com/errata/RHSA-2022:1437

Comment 12 Product Security DevOps Team 2022-04-28 23:45:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21449

Comment 13 errata-xmlrpc 2022-05-17 23:39:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:1729 https://access.redhat.com/errata/RHSA-2022:1729


Note You need to log in before you can comment on or make changes to this bug.