Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-21449 PoC — Oracle Java SE 输入验证错误漏洞

Source
https://github.com/volodymyr-hladkyi-symphony/demo-cve-2022-21449
Associated Vulnerability
Title:Oracle Java SE 输入验证错误漏洞 (CVE-2022-21449)
Description:Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Readme
# Demo Project: CVE-2022-21449 Vulnerability

This project demonstrates the CVE-2022-21449 vulnerability, which affects Java's ECDSA signature verification. The vulnerability allows a malicious actor to bypass signature verification by using a signature with zero values (`r=0` and `s=0`). The project uses real and fake JWT tokens with EC signatures to showcase the issue on Java 17 without the security patch.

## Features
- **Real JWT Token**: A valid JWT token signed with an EC private key.
- **Fake JWT Token**: A JWT token with a zeroed signature (`r=0`, `s=0`).
- **Validation**: Demonstrates how the vulnerability allows the fake token to pass validation.

## Prerequisites
- **Java 17** (without the security patch for CVE-2022-21449).
- **Maven** for building the project.

## Project Structure
- `JwtGenerator`: Generates real and fake JWT tokens.
- `JwtUtils`: Validates JWT tokens using a public EC key.
- `SecurityConfig`: Configures Spring Security to demonstrate token-based authentication.
- `ProtectedController`: Provides endpoints to test token-based access control.

## How to Use the `JwtGenerator` Console App
The `JwtGenerator` class is a standalone console application that generates and prints both valid and fake JWT tokens.

### Steps to Run
1. **Build the Project**:
   ```bash
   mvn clean install
   ```

2. **Run the `JwtGenerator` Class**:
   ```bash
   mvn exec:java -Dexec.mainClass="com.symphony_solutions.demo.util.JwtGenerator"
   ```

3. **Output**:
   The application will print:
    - A valid JWT token.
    - A fake JWT token with a zeroed signature.

   Example:
   ```
   === Valid JWT ===
   eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsInJvbGVzIjpbIkFETUlOIiwiVVNFUiJdLCJpYXQiOjE2NzAwMDAwMDAsImV4cCI6MTY3MDAzNjAwMH0.<signature>

   === Fake JWT with zero signature ===
   eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJib2IiLCJyb2xlcyI6WyJBRE1JTiIsIlVTRVIiXSwiaWF0IjoxNjcwMDAwMDAwLCJleHAiOjE2NzAwMzYwMDB9.<zeroed_signature>
   ```

4. **Use the Tokens**:
    - Copy the tokens and use them to test the vulnerability in the application or other tools.

## Demonstrating the Vulnerability
1. **Start the Application**:
   ```bash
   mvn spring-boot:run
   ```

2. **Access Protected Endpoints**:
    - Use a valid token to access `/protected/user` or `/protected/admin`.
    - Use the fake token to demonstrate how the vulnerability allows unauthorized access.

3. **Endpoints**:
    - `/protected/user`: Requires `USER` or `ADMIN` role.
    - `/protected/admin`: Requires `ADMIN` role.

## Important Notes
- This project is for educational purposes only. Do not use it in production environments.
- Ensure your Java version is updated with the security patch to mitigate CVE-2022-21449.

## References
- [CVE-2022-21449 Details](https://nvd.nist.gov/vuln/detail/CVE-2022-21449)
- [Java Security Updates](https://www.oracle.com/security-alerts/)

## License
This project is licensed under the MIT License.
File Snapshot

 [4.0K]  /data/pocs/b9dff573116aa51c5ad4a1939401e81e887bc7a9
├── [ 241]  ec_private_key.pem
├── [ 178]  ec_public_key.pem
├── [3.0K]  pom.xml
├── [2.9K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  symphony_solutions
        │           └── [4.0K]  demo
        │               ├── [4.0K]  config
        │               │   └── [3.1K]  SecurityConfig.java
        │               ├── [4.0K]  controller
        │               │   └── [ 493]  ProtectedController.java
        │               ├── [ 317]  DemoApplication.java
        │               └── [4.0K]  util
        │                   ├── [4.1K]  JwtGenerator.java
        │                   └── [1.8K]  JwtUtils.java
        └── [4.0K]  resources
            ├── [ 168]  application.yml
            ├── [ 241]  private_key.pem
            └── [ 178]  public_key.pem

10 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →