[Info-vax] CVE-2022-21449 and Oracle products; Java, MySQL Connectors, databases, etc
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Apr 22 13:52:50 EDT 2022
On 2022-04-21, Arne Vajhøj <arne at vajhoej.dk> wrote:
>
> CVE-2022-21449 is totally crazy BTW:
>
><quote>
> Madden?s bug nickname is therefore wittily chosen, given that the bug he
> discovered allows an attacker to bypass a Java Elliptic Curve signature
> check simply by presenting a memory buffer filled entirely with zeros.
>
> You read that correctly: either you can generate a valid digital
> signature by dutifully applying the necessary private key to the
> calculation, or you can send across a bunch of zeros instead.
> ...
> But, as Madden discovered, a totally blank ?psychic signature?, if
> presented to Java?s Elliptic Curve verification code, would be flagged
> as valid when ?verified? against any public key.
>
> In other words, an attacker would need either to hack into your network
> and steal your private keys in order to masquerade as you?
>
> ?or simply to present a blank signature to pass muster every time!
></quote>
>
It reminds me of this:
https://www.theregister.com/2017/05/05/intel_amt_remote_exploit/
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list