Java Product Vulnerability
When submitting a digital signature based on Elliptic Curve Cryptography, you’re supposed to be proving to the recipient that you have access to the private key that corresponds to the public key that they’ll use to verify the signature at your end.
In simple terms, you take a fixed-length hash (e.g. SHA-256) of the data you want to authenticate, such as an email message or a software update, sign that hash with your private key, and submit the hash and the signature. The recipient uses the matching public key to verify the hash and then uses the hash to verify the message (which can therefore be arbitrarily long).
Because your private key can’t be worked out backward from the corresponding public key, your public key can, quite literally, be made public, and attested to match your private key in numerous ways.
In other words, you can’t present a digital signature that will pass unless you have access to the relevant private key, so if the recipient assumes you have looked after your private key with the care it deserves, this sort of signature check provides a vital level of verification in today’s online exchanges of code and data.
But, as security researcher Madden discovered and reported to Oracle last December, hackers can use a totally blank “psychic signature”, if presented to Java’s Elliptic Curve verification code, which would be flagged as valid when “verified” against any public key.
In other words, an attacker would need either to hack into your network and steal your private keys in order to masquerade as you or simply to present a blank signature to pass muster every time!
What Should You Do?
Update your version of Java as soon as you can!
The most recent Java versions are Java 17 (Long Term Support) and Java 18, which get updated to 17.0.3 and 18.0.1 respectively.
Older but still-supported versions that have also been patched are Java 7, Java 8 and Java 11, which get updated to version 7u341, version 8u331 and 11.0.15 respectively.
Remember that it’s possible to have multiple Java versions installed at the same time, in the form of the Java Development Kit (JDK) or the Java Runtime Environment (JRE).
You can check for available Java versions on your computer by searching for program files called java
(or java.exe
on Windows).
You can check what version each Java executable represents by running the command java -version
.
You have a Vulnerability Alert Management Process, right?
If you’re a subscriber to CyberHoot’s services, you’ll have access to our Policy and Process library which contains the vulnerability alert management process document. This document prescribes how to respond to situations like this and in what time frame. If your company has not yet adopted a VAMP-like process, now is a great time to get started.