The Java ECDSA cryptography CVE-2022-21449 - are you affected and what to do?
Update 2022-04-22: The Nimbus JOSE+JWT library was not able to block all CVE-2022-21449 vectors of attack on vulnerable Java 15+ runtimes where the default Java ECDSA was targeted. This post is corrected to reflect this. We apologise for the incorrect initial assessment published here.
CVE-2022-21449 is a severe security bug in the standard Java Cryptography Architecture (JCA) provider that allows shockingly trivial bypassing of ECDSA signature validation in Java 15 and later. Neil Madden, who you may know from his contributions in the JOSE, OAuth and OpenID working groups, discovered the issue in November 2021 and has a detailed description of it in his blog, in a post published on 19 April 2022 when Oracle released a fix.
Are you affected?
Applications that use the Nimbus JOSE+JWT library to process
ES512JWS signatures on Java 15 or newer runtimes prior to the Oracle fix and using the default Java Cryptography Architecture (JCA) provider that comes in the JRE were not safe from CVE-2022-21449 exploits.
Previously it was thought that the P1363 to DER transcoder for the ECDSA signatures was blocking all exploitable values from reaching a vulnerable Java ECDSA provider, but this was true only for the case of zero R and S signature values.
The Nimbus JOSE+JWT library borrowed the P1363 to DER transcoding logic from the Apache Santuario library (code link). This means that other projects that borrowed this code or rely on it, like OpenSAML, are also not immune and cannot rely on the particular transcoder implementation to block attacks on Java runtimes vulnerable to CVE-2022-21449.
You are not affected if you process ECDSA signatures in Java 14 or earlier (the bug was introduced in Java 15, after a rewrite from C++ to Java code).
You are not affected if you process ECDSA signatures with the open source BouncyCastle JCA provider (instead of the built-in Java JCA provider), regardless of the Java runtime version.
What to do?
Upgrade to the latest patched Java version, even if you are not affected by CVE-2022-21449, because the Oracle Critical Patch Update from April addresses a number of other issues as well.
We also strongly recommend to update to the latest patched Nimbus JOSE+JWT 9.22:
<dependency> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> <version>9.22</version> </dependency>
If you cannot do any or both of these updates, for whatever reason, switch to the BouncyCastle provider for ECDSA signatures validation.
How trivial is the expoit?
See for yourself:
KeyPair keyPair = KeyPairGenerator.getInstance("EC").generateKeyPair(); byte blankSignature = new byte; Signature sig = Signature.getInstance("SHA256WithECDSAInP1363Format"); sig.initVerify(keyPair.getPublic()); sig.update("Hello, world!".getBytes()); boolean validSig = signature.verify(blankSignature); assertFalse("Signature validation bypassed - upgrade your JRE with patched version for CVE-2022-21449", validSig);