Recently, security researcher Khaled Nassar made public on GitHub the PoC code for a newly disclosed digital signature bypass vulnerability in Java, tracked as CVE-2022-21449. The vulnerability is known to have been discovered by Neil Madden, a researcher at security consulting firm ForgeRock, in November of last year, and was notified to Oracle the same day. Although Oracle gave the vulnerability a CVSS rating of 7.5, ForgeRock said they had privately disclosed the vulnerability when it was first discovered and rated the vulnerability a 10 on the CVSS.
Oracle pushed out a security update yesterday to fix a vulnerability that allowed attackers to forge certain types of SSL certificates and handshakes, two-factor authentication information, and authorization credentials generated by a range of widely used open standards. This allows an attacker to easily digitally sign files and other data. This vulnerability affects the implementation of ECDSA (Elliptic Curve Digital Signature Algorithm) in Java 15 and above. ECDSA is an algorithm that uses elliptic curve cryptography principles to digitally authenticate messages.