Bring this Support Notice to the attention of your Information Technology department.
A vulnerability in Oracle® Java SE versions 15 through 18 that the Common Vulnerabilities and Exposures organization described as "easily exploitable” allows attackers to forge security certificates, digital signatures, two-factor authentication messages, and authorization credentials.
This vulnerability is sometimes referred to as the "Psychic Signature” vulnerability due to its potential to allow attackers to easily bypass access control methods.
The vulnerability is not limited to Oracle products. Those who do not own Oracle products may still be vulnerable.
The issue has been fixed in Java 17.0.3 and 18.0.1 but some earlier versions remain vulnerable.
There is no impact to Essent® products and services. Essent has taken action to confirm that Essent products and services do not use the affected versions of Java SE.
All Essent products and services including Compass™, SiteBuilder™, PunchOutNow™, Direct2Decoration™, and the Essent Commerce Cloud are not affected by these vulnerabilities.
No corrective action is required as it pertains to Essent products and services.
Essent encourages customers using Java or Java-based tools to perform their own evaluation and prioritize patching of any affected public Internet-facing services first.
Anyone using Java SE should upgrade to version 17.0.3 or 18.0.1.
Oracle is the owner of Oracle Java SE, which is distributed as part of third-party software systems. Although a company may not be a customer of an Oracle application, the company may knowingly or unknowingly have the Oracle Java runtime installed, making the company vulnerable.
The Elliptic Curve Digital Signature Algorithm (ECDSA) vulnerability, assigned Common Vulnerabilities and Exposures number CVE-2022-21449, applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets. The vulnerability may occur in any Java code that relies on ECSDA certificate signatures for its functionality, including Java implementations of SAML SSO, OpenID SSO and FIDO 2FA.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible,” according to an Oracle Critical Patch Update Advisory that extensively details the vulnerability and Oracle’s patch for it.
Get the latest Essent Support Notices delivered right to your email inbox.
Essent is the leading provider of fully-integrated business management software solutions and services for process-intensive industries and the largest trading network for the promotional products industry. The Essent family of fully-integrated products and services combines best practices, business processes, software automation, and network communications to deliver unparalleled, unified business management solutions. Since 1980, Essent has offered the systems, service, software, and support critical to success in today's highly-competitive marketplace.