Originally posted: April 20th, 2022
This page is updated as new information becomes available. Please see date/time (GMT) in the by line for most current article update.
This bulletin is to notify you of a potential zero-day vulnerability, CVE-2022-21449, which allows malicious actors to bypass ECDSA (Elliptic Curve Digital Signature Algorithm) signatures. The potential impact of this vulnerability is high. Not all details are public as of yet. Contrast is researching the issue more deeply to determine the best path forward for our customers.
Who is at Risk?
If you are running applications on Java 15-18 and you use ECDSA signatures, threat actors are able to bypass the signature check and forge signed JWTs (JSON Web Token), SAML assertions, WebAuthn messages, and OIDC (OpenID Connect) tokens, as well as other authentication mechanisms taking advantage of ECDSA signatures.
What action do I need to take?
Contrast customers can determine the version of Java their applications are running on by following the steps here: How to find the version of Java a Contrast agent is running on.
We strongly recommend upgrading to the latest Java patch release, details of which can be found here:
Contrast will continue to monitor the situation with CVE-2022-21449. The security of our customers is of utmost importance to us.
Updates from Contrast
We have examined all of our internal systems including our Contrast hosted (SaaS), Contrast on-premises (EOP), and Contrast HUB and determined there is no use of ECDSA in any of our Java applications.
Out of an abundance of caution we will be patching Java in our SaaS environments and recommend EOP customers do the same.
Contrast will continue to monitor the situation and will provide more detail as / if it becomes available.
If you have any questions, concerns, or would like to discuss this issue further, please don’t hesitate to reach out to us