CVE-2022-21449 PoC — Oracle Java SE 输入验证错误漏洞

Source

Associated Vulnerability

Readme

# Demo Project: CVE-2022-21449 Vulnerability

This project demonstrates the CVE-2022-21449 vulnerability, which affects Java's ECDSA signature verification. The vulnerability allows a malicious actor to bypass signature verification by using a signature with zero values (`r=0` and `s=0`). The project uses real and fake JWT tokens with EC signatures to showcase the issue on Java 17 without the security patch.

## Features
- **Real JWT Token**: A valid JWT token signed with an EC private key.
- **Fake JWT Token**: A JWT token with a zeroed signature (`r=0`, `s=0`).
- **Validation**: Demonstrates how the vulnerability allows the fake token to pass validation.

## Prerequisites
- **Java 17** (without the security patch for CVE-2022-21449).
- **Maven** for building the project.

## Project Structure
- `JwtGenerator`: Generates real and fake JWT tokens.
- `JwtUtils`: Validates JWT tokens using a public EC key.
- `SecurityConfig`: Configures Spring Security to demonstrate token-based authentication.
- `ProtectedController`: Provides endpoints to test token-based access control.

## How to Use the `JwtGenerator` Console App
The `JwtGenerator` class is a standalone console application that generates and prints both valid and fake JWT tokens.

### Steps to Run
1. **Build the Project**:
   ```bash
   mvn clean install
   ```

2. **Run the `JwtGenerator` Class**:
   ```bash
   mvn exec:java -Dexec.mainClass="com.symphony_solutions.demo.util.JwtGenerator"
   ```

3. **Output**:
   The application will print:
    - A valid JWT token.
    - A fake JWT token with a zeroed signature.

   Example:
   ```
   === Valid JWT ===
   eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsInJvbGVzIjpbIkFETUlOIiwiVVNFUiJdLCJpYXQiOjE2NzAwMDAwMDAsImV4cCI6MTY3MDAzNjAwMH0.<signature>

   === Fake JWT with zero signature ===
   eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJib2IiLCJyb2xlcyI6WyJBRE1JTiIsIlVTRVIiXSwiaWF0IjoxNjcwMDAwMDAwLCJleHAiOjE2NzAwMzYwMDB9.<zeroed_signature>
   ```

4. **Use the Tokens**:
    - Copy the tokens and use them to test the vulnerability in the application or other tools.

## Demonstrating the Vulnerability
1. **Start the Application**:
   ```bash
   mvn spring-boot:run
   ```

2. **Access Protected Endpoints**:
    - Use a valid token to access `/protected/user` or `/protected/admin`.
    - Use the fake token to demonstrate how the vulnerability allows unauthorized access.

3. **Endpoints**:
    - `/protected/user`: Requires `USER` or `ADMIN` role.
    - `/protected/admin`: Requires `ADMIN` role.

## Important Notes
- This project is for educational purposes only. Do not use it in production environments.
- Ensure your Java version is updated with the security patch to mitigate CVE-2022-21449.

## References
- [CVE-2022-21449 Details](https://nvd.nist.gov/vuln/detail/CVE-2022-21449)
- [Java Security Updates](https://www.oracle.com/security-alerts/)

## License
This project is licensed under the MIT License.

File Snapshot

 [4.0K]  /data/pocs/b9dff573116aa51c5ad4a1939401e81e887bc7a9
├── [ 241]  ec_private_key.pem
├── [ 178]  ec_public_key.pem
├── [3.0K]  pom.xml
├── [2.9K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  symphony_solutions
        │           └── [4.0K]  demo
        │               ├── [4.0K]  config
        │               │   └── [3.1K]  SecurityConfig.java
        │               ├── [4.0K]  controller
        │               │   └── [ 493]  ProtectedController.java
        │               ├── [ 317]  DemoApplication.java
        │               └── [4.0K]  util
        │                   ├── [4.1K]  JwtGenerator.java
        │                   └── [1.8K]  JwtUtils.java
        └── [4.0K]  resources
            ├── [ 168]  application.yml
            ├── [ 241]  private_key.pem
            └── [ 178]  public_key.pem

10 directories, 12 files

Remarks