Oracle Patches Java Bug That’s Very Bad

Oracle has apparently patched a vulnerability in server-side Java that allowed an attacker to forge some kinds of SSL certificates and handshakes, along with several kinds of authentication messages. The vulnerabilities were discovered by ForgeRock security researcher Neil Madden and documented here. But here’s the info that what you need to know:

It’s hard to overstate the severity of this bug. If you are using ECDSA signatures for any of these security mechanisms, then an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update (CPU). For context, almost all WebAuthn/FIDO devices in the real world (including Yubikeys*) use ECDSA signatures and many OIDC providers use ECDSA-signed JWTs.

If you have deployed Java 15, Java 16, Java 17, or Java 18 in production then you should stop what you are doing and immediately update to install the fixes in the April 2022 Critical Patch Update.

Lovely.

Kevin Bocek, VP, Security Strategy & Threat Intelligence at Venafi had this comment:

“This vulnerability is just one more example of how important machine identities are to global security. It allows an attacker to bypass the TLS session handshake for specific servers so they can install malware and look for ways to pivot across networks. This is a serious vulnerability that needs to be patched quickly.”

Given the severity of this bug, I’d be patching all the things right now before you get pwned now that this is out there.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: