CVE-2022-21449 log
| Source |
|
| Severity | High |
| Remote | Yes |
| Type | Insufficient validation |
| Description | The ECDSA signature verification from java 15 onward accecpted completely blank signatures as valid for an arbitrary message and public key. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-2687 | jdk17-openjdk, jre17-openjdk, jre17-openjdk-headless | 17.0.2-1 | 17.0.3.u7-2 | High | Fixed | |
| AVG-2686 | jdk-openjdk, jre-openjdk, jre-openjdk-headless | 18-1 | 18.0.1u10-1 | High | Fixed |
| References |
|---|
https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/ https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19 |