CVE-2022-21449 - Psychic Signatures in Java #11754
abstractj
announced in
Announcements
Replies: 1 comment 1 reply
-
@stianst FYI |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Last week, the security researcher Neil Madden published in his blog post all the details about how to exploit the recently disclosed vulnerability from CVE-2022-21449 due to improper implementation of ECDSA algorithm introduced in Java 15.
The ECDSA algorithm is used on Keycloak as part of OIDC and WebAuthN implementations. Keycloak server supports Java 11 only, and it is not impacted by this vulnerability.
Any Java clients using Keycloak adapters, or other libraries, in combination with ECDSA signed tokens may also be affected if using Java 15+.
We highly recommend anyone leveraging ECDSA signed tokens with Java 15+, or are running Keycloak server with Java 15+ to upgrade Java immediately.
The Keycloak team will continue to monitor the situation with CVE-2022-21449. Please reach us out in the Keycloak Security mailing list for additional concerns.
Additional resources
Oracle Critical Patch Update Advisory
OpenJDK Vulnerability Advisory
Beta Was this translation helpful? Give feedback.
All reactions