[Openid-specs-fapi] FYI: Java ECDSA Signature vulnerability
Nat Sakimura
nat at nat.consulting
Wed Apr 20 08:00:02 UTC 2022
Reported by Neil Madden many of you know.
“If you are using ECDSA [elliptic curve digital signature algorithm]
signatures for any of these security mechanisms, then an attacker can
trivially and completely bypass them if your server is running any Java 15,
16, 17, or 18 version before the April 2022 Critical Patch Update (CPU),”
Madden wrote of CVE-2022-21449.
(Source)
https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20220420/2362c35c/attachment.html>
More information about the Openid-specs-fapi
mailing list