back to article Oracle already wins 'crypto bug of the year' with Java digital signature bypass

Java versions 15 to 18 contain a flaw in its ECDSA signature validation that makes it trivial for miscreants to digitally sign files and other data as if they were legit organizations. Cyber-criminals could therefore pass off cryptographically signed malicious downloads and bogus information as if it were real, and affected …

  1. teknopaul Silver badge

    User presents a certificate

    Sounds like this bug does not apply to "normal" ssl, client provided certs are only used in the most important and secure applications where client authentication is critical: health, government interactions, finance...

    Pass the popcorn.

    1. Jon 37

      Re: User presents a certificate

      There are trusted CAs that have ECDSA root certificates trusted by all OSs and browsers.

      With this vulnerability, anyone can create certificates allowing them to impersonate any TLS server they like. This allows an attacker who is able to intercept traffic, to view and change your communications with any TLS server.

      1. Anonymous Coward
        Anonymous Coward

        Re: User presents a certificate

        Are you sure about that?

        I'm trying to work out how to exploit this, not least because we do EC crypto in Java.

        I can see that it would be possible to create an EC signature that's always be considered valid for any data, when verified in Java. And that EC could be used to sign another public key, as you've described, to effectively issue any certificate. But unless the all-signing EC key is in the list of trusted roots, it's still going to be treated as a valid chain from an unknown root.

        Put another way: the signer can now sign something that can be modified but looks like it remains signed. At this point I'm struggling a bit to see how a third-party could capitalise on this. Anyone?

        1. Androgynous Cupboard Silver badge

          Re: User presents a certificate

          Read the writeup at https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/ - it turns out it is kind of a big deal.

  2. Paul Herber Silver badge
    Trollface

    repeat(money++) until (all money in Oracle)

    There is a similar bug in all of Oracle's customer compliance tools. Even if the number of users = 0 and the amount of usage by these users = 0 then the compliance tool shows that the customer has got to pay Oracle some more money.

    1. b0llchit Silver badge
      Joke

      Re: repeat(money++) until (all money in Oracle)

      Well, when money becomes zero (unsigned integer overflow), then (all 0 in Oracle) is a good thing.

      It gets even better if we assume an integer overflow because (all INT_MIN in Oracle) is a huge win for humanity because they will finally have redistributed the wealth back to us all. Keep incrementing!

  3. HildyJ Silver badge
    FAIL

    "(0,0)"

    That would be how much Oracle cares and how much Oracle spends on security.

    Marketing and Billing, of course, would be (100,100).

  4. Anonymous Coward
    Anonymous Coward

    *Slow golf clap*

    Achievement unlocked: You win a lifetime supply of fail! Congratulations! Now please go stick your head in a pig.

  5. elDog

    Says the GCHQ to the CIA: Oh dear, they found our backdoor!

    Quick. Change the Open Sesame code to (-1,-1).

    And people still pay Oracle for their s***?

  6. Gene Cash Silver badge

    So what other sanity checks did they leave out on the rewrite?

    That sounds like a fertile field for security research.

    1. thames Silver badge

      Re: So what other sanity checks did they leave out on the rewrite?

      The whole thing sounds like a lack of serious testing. I have written a fair bit of numerical code over the past few years and one of the things that I learned was that there is lots of room for all sorts of non-obvious errors. The only viable solution seemed to be testing. I just ran a check over one project and have roughly 5 times as much testing code as there is code which is being tested.

      Since it isn't possible to test every possible numerical combination (although test values can be generated algorithmicly), a good sense of what sort of numbers can be problematic is necessary.

      Testing for (0, 0) is one of those really obvious problematic value pairs if you are doing anything involving any numerical operations. There are so many errors associated with 0 that if you are going to test anything at all, it should be 0.

      This really raises the question for me that if they didn't test (0, 0), do they have any systematic testing at all? Or did they just pick a few numbers at random and checked to see that they got the same answer as the C++ implementation and called it a day?

      This is not exactly confidence inspiring if that's the case.

      1. vogon00

        Re: So what other sanity checks did they leave out on the rewrite?

        "if you are going to test anything at all, it should be 0."

        Upvoted for that..

        Speaking as a former testing professional, I'd have to say I'm not surprised.

        'Testing' stuff used to mean actually testing it, with the software equivalent of hammers and a proper test plan, rather than just waving a damp dishrag at it to see what happens.

        They say zero must be discovered. I'd say the team/individual that ported this from CPP to Java have just made a different discovery - how shite they are!

        Back in the day, any test exercised the low and high limits of any parameter/setting, and especially out-of-range values. Not being an Oracle user, I'm a bit meah about them, however I hope they get a hammering somehow for their crass stupidity.

        Zero x Zero is acceptable....really?

      2. Cuddles Silver badge

        Re: So what other sanity checks did they leave out on the rewrite?

        "Testing for (0, 0) is one of those really obvious problematic value pairs if you are doing anything involving any numerical operations. There are so many errors associated with 0 that if you are going to test anything at all, it should be 0."

        It's worth noting that this isn't simply a question of not thinking of some obvious code tests. r and s being positive integers is part of the definition of ECDSA. It's literally step 1 of the verification (from Wiki):

        "1. Verify that r and s are integers in [ 1 , n − 1 ]. If not, the signature is invalid."

        They didn't simply fail to parse inputs for an otherwise correct implementation, they clearly didn't bother actually reading the specification in the first place.

    2. PC Paul

      Re: So what other sanity checks did they leave out on the rewrite?

      They do say "never write your own crypto" - apparently that holds true even if you're just translating it to a new language.

      1. yetanotheraoc Silver badge

        Re: So what other sanity checks did they leave out on the rewrite?

        Mr. Hard Problem, meet Mr. Hard Deadline.

        Oh, hi, nice to meet you. Looks like we'll be cutting a few corners...

  7. Lorribot

    Oracle "those number things are hard"

    i think the fact they only gave it a 7.5 out of 10 rating shows that Oracle can't do numbers

    1. hollymcr

      Re: Oracle "those number things are hard"

      Or they know there's worse to come?

      1. Alan Brown Silver badge

        Re: Oracle "those number things are hard"

        We'll just turn those ones all the way up to 11

    2. Anonymous Coward
      Anonymous Coward

      Re: Oracle "those number things are hard"

      Perhaps someone compromised their scoring system.

  8. An_Old_Dog Bronze badge

    accidental error vs purposeful error

    Gotta wonder if it was a programmer who was bribed or strong-armed, vs a programmer who was careless or incompetent.

    1. Boris the Cockroach Silver badge
      Facepalm

      Re: accidental error vs purposeful error

      Most likely the latter, but in his/her defense, they may not have been given the C++ source code , only the algorithm for doing the maths.....

      Which would indicate the documentation was crap

  9. Teejay

    Isn't the only reason why the world is using elliptic curve cryptography because the NSA figured out how to crack it and has been lobbying for it ever since?

    1. MJB7

      No. EC crypto is faster, both to sign and to verify, and _much_ faster than RSA for key generation (which matters if eg you generate an ephemeral key for each connection)

      There is _no_ evidence that the NSA has found how to break EC in general. The dual-EC RBG back door was a very specific hack - and not applicable to EC in general. It's the difference between knowing the factors of a single large number (easy - because you generated it yourself from a couple of smaller primes), and being able to factor large numbers in general (hard).

      Of course, I accept that if the NSA _had_ found how to break EC in general, they would do their damndest to keep that fact a secret - so absence of evidence is not proof of absence.

      1. Androgynous Cupboard Silver badge

        Don't forget signature size. I was standing inline at immigration watching everyone in front of me present their COVID pass for inspection a few weeks back, and could tell instantly whether the health authority that issued it used RSA or EC - the RSA codes were 3 or 4 times the size.

  10. JimmyPage

    Regression testing ?

    We've heard if it

  11. Anonymous Coward
    Anonymous Coward

    "In theory, for a signature to be valid, (r, s) cannot be (0, 0) because some of the math involves multiplying these numbers with other values. The bug arose because the original C++ code checked that both r and s are non-zero, and wouldn't accept the signature if they were. The new Java code didn't check, it just went ahead and computed with the values."

    Java needs to go!!!!!!!!!!

    Too much impact from this poorly managed coding environment.

  12. physicsguy

    How on earth was a port of this from C++ to Java not a straight line by line rewrite, with tests written beforehand? Someone trying to be too clever?

    1. Liam Proven (Written by Reg staff) Bronze badge

      This, for me, is the key question, yes.

    2. TimMaher Silver badge
      Facepalm

      Rust

      Also, if you need to write something that is reasonably fast and reasonably secure wouldn’t you migrate from C++ to Rust? It seems to be the up and coming language between Assembler and any application language, such as Java.

    3. Stevie

      How on earth was a port of this from C++ to Java not a straight line by line rewrite

      Welcome to the world of the Cobol Business Programmer, confronted with another stupid floating point datatype in the “newer, better language rewrite” where the scaled decimal belongs.

      8o)

    4. Alan Brown Silver badge

      Contract computer coding methodology - especially when outsourced to Bangalore - "why write 5 lines when 12 pages will do?"

      It's easier to obscure bugs and keeps you in long-term employment

  13. Displacement Activity
    Meh

    Oh dear...

    The bug was introduced when part of Java 15's signature-verification code was rewritten from its native C++ into Java itself.

    Nice to see that Oracle spends its days digging holes and filling them up again.

    1. Cliffwilliams44 Bronze badge

      Re: Oh dear...

      This just shows what I say about engineers and developers! (I work in an industry that hires both), there isn't a good idea they don't think needs fixing!

      If the C++ code worked why fix it with JAVA! I find it hard to believe that JAVA would be faster! Or did they fire all their C++ devs!

  14. Anonymous Coward
    Anonymous Coward

    Honestly people, it'S 2022. Why is anyone still using Java?

    1. Liam Proven (Written by Reg staff) Bronze badge
      Trollface

      One might well ask, why is anyone still using C.

      :-D

      1. Paul Herber Silver badge
        1. Jonathan Richards 1 Silver badge

          :D--

          Is that a projectile vomit emoticon? Nice, I'll have uses for that...

          1. Paul Herber Silver badge

            Re: :D--

            It's a smiley combined with a D-- to go with the C++.

            1. yetanotheraoc Silver badge

              Re: :D--

              I thought you were decrementing D.

    2. Dan 55 Silver badge

      Because big corp hires cheap programmers from JavaFactories aka universities.

      1. Anonymous Coward
        Anonymous Coward

        @Dan 55 - Small correction here

        Because big corp hires cheap programmers hoping modern programming languages, frameworks and paradigms will somehow compensate for insufficient skills.

  15. Zarno
    Joke

    One moment.

    One moment while I check if I have the license to the patch, and how much it will cost if I don't.

    Joke, obvs, but you never know with Oracle and their audit crew...

  16. Throatwarbler Mangrove Silver badge
    Angel

    Thank you, Jesus . . .

    . . . I just exited IT so I don't have to deal with this clusterfuck.

    1. yetanotheraoc Silver badge

      Re: Thank you, Jesus . . .

      Jesus didn't say, blessed are the ones who don't compute.

      The problem with mistakes of this magnitude is that no-one is safe from the fallout. Even people who don't use a computer have a bank (or government) that does.

      1. Throatwarbler Mangrove Silver badge
        Mushroom

        Re: Thank you, Jesus . . .

        I'm pretty sure there's something in Revelations about the use of Java, however.

    2. Alan Brown Silver badge

      Re: Thank you, Jesus . . .

      Unfortunately this shit is so embedded in every aspect of daily life that "You've got to deal with it whether you like it or not, grandad"

  17. Richard Pennington 1
    FAIL

    Not the first, probably won't be the last ...

    A few years ago, before I retired, I was involved in a safety-critical exercise in code verification.

    One of the modules involved a series of values and a quick-and-dirty checksum for integrity. The checksum was simply the sum of the values of the rest of the array (ignoring overflows).

    Meanwhile, another procedure would, under certain circumstances, wipe the whole array by overwriting it with zeroes.

    Somebody pointed out that the integrity checksum algorithm was so poor that the integrity check would still show "OK" even after the array had been zeroed out ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022