Skip to content

[SDK-3311] Added protection against CVE-2022-21449#579

Merged
poovamraj merged 6 commits intomasterfrom
psychic-signature-vulnerability-protection
May 5, 2022
Merged

[SDK-3311] Added protection against CVE-2022-21449#579
poovamraj merged 6 commits intomasterfrom
psychic-signature-vulnerability-protection

Conversation

@poovamraj
Copy link
Copy Markdown
Contributor

@poovamraj poovamraj commented May 3, 2022

Changes

This PR will implement defence against CVE-2022-21449 by validating the signatures structure so that

  • The entire signature is not filled with zero
  • The value of R and S are not zero
  • The value of R and S are not less than 1 compared to the ECDSA Algorithm's order

References

Testing

We have added Unit Tests to check for the vulnerable signature. We have ensured the logic we use to validate the signature is also unit tested

  • This change adds test coverage
  • This change has been tested on the latest version of Java or why not

@poovamraj poovamraj requested a review from a team as a code owner May 3, 2022 14:06
@poovamraj poovamraj added this to the v3-Next milestone May 3, 2022
@lbalmaceda
Copy link
Copy Markdown
Contributor

lbalmaceda commented May 5, 2022

LGTM

@poovamraj poovamraj merged commit 34caf1f into master May 5, 2022
@poovamraj poovamraj modified the milestones: v3-Next, 3.19.2 May 5, 2022
@poovamraj poovamraj mentioned this pull request May 5, 2022
Merged
@jimmyjames jimmyjames deleted the psychic-signature-vulnerability-protection branch October 15, 2022 02:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@stevehobbsdev stevehobbsdev stevehobbsdev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

CH: Security review:large Large review

Projects

None yet

Milestone

3.19.2

Development

Successfully merging this pull request may close these issues.

3 participants

@poovamraj @lbalmaceda @stevehobbsdev