search

kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.
https://keystore-explorer.org/
GNU General Public License v3.0
1.7k stars 275 forks source link

Announce: Java CVE [CVE-2022-21449 – Psychic Signatures] #370

Closed The-Lum closed 2 years ago

The-Lum commented 2 years ago

Hello all,

Just FYI, here is a Java CVE [CVE-2022-21449 – Psychic Signatures] (about "improper implementation of the ECDSA signature verification algorithm, introduced in Java 15" :

And another links here:

Good reading, Regards.

kaikramer commented 2 years ago

The interesting question for KSE users is certainly: How is KSE affected by this vulnerability?

If you are not using the certificate verification feature that was introduced with KSE 5.5.0, then you can simply ignore this vulnerability (as far as KSE is concerned).

grafik

If you are using the verification feature, then the question is what would the consequences be if the verification of a forged certificate was successful? If there are no drastic consequences, then you can relax as well.

If you really are relying on this feature then update to the Java versions that fix this bug and do not use the bundled JRE.

Apart from that KSE also uses signature verification internally for key imports to check if a key pair matches. But the vulnerability has no effect here, because it is only a functional check ("garbage in, garbage out").

The-Lum commented 2 years ago

Hello all,

Thanks @kaikramer: for the impact analysis on KSE.

Then here is from:

another precision:

  • The bug only impacts Java 15 and above. [...]
  • Bouncy Castle is not impacted by this vulnerability. They have their own ECDSA implementation, and it performs the relevant check to prevent this bug.
  • ...

Regards.

kaikramer commented 2 years ago

I think this ticket has served its purpose and can be closed now.