Actions to Take
Bring this Support Notice to the attention of your Information Technology department.
Issue
A vulnerability in Oracle® Java SE versions 15 through 18 that the Common Vulnerabilities and Exposures organization described as "easily exploitable” allows attackers to forge security certificates, digital signatures, two-factor authentication messages, and authorization credentials.
This vulnerability is sometimes referred to as the "Psychic Signature” vulnerability due to its potential to allow attackers to easily bypass access control methods.
The vulnerability is not limited to Oracle products. Those who do not own Oracle products may still be vulnerable.
The issue has been fixed in Java 17.0.3 and 18.0.1 but some earlier versions remain vulnerable.
Essent Service Impact Analysis
There is no impact to Essent® products and services. Essent has taken action to confirm that Essent products and services do not use the affected versions of Java SE.
All Essent products and services including Compass™, SiteBuilder™, PunchOutNow™, Direct2Decoration™, and the Essent Commerce Cloud are not affected by these vulnerabilities.
Corrective Action
No corrective action is required as it pertains to Essent products and services.
Essent encourages customers using Java or Java-based tools to perform their own evaluation and prioritize patching of any affected public Internet-facing services first.
Anyone using Java SE should upgrade to version 17.0.3 or 18.0.1.
More information
Oracle is the owner of Oracle Java SE, which is distributed as part of third-party software systems. Although a company may not be a customer of an Oracle application, the company may knowingly or unknowingly have the Oracle Java runtime installed, making the company vulnerable.
The Elliptic Curve Digital Signature Algorithm (ECDSA) vulnerability, assigned Common Vulnerabilities and Exposures number CVE-2022-21449, applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets. The vulnerability may occur in any Java code that relies on ECSDA certificate signatures for its functionality, including Java implementations of SAML SSO, OpenID SSO and FIDO 2FA.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible,” according to an Oracle Critical Patch Update Advisory that extensively details the vulnerability and Oracle’s patch for it.