<- Back to the blog

Automated Detection of CVE-2022-21449 (“Psychic Signatures”)

Graham Steel
April 26, 2022

First revealed on Neil Madden’s blog, CVE-2022-21449 is a bug in recent releases of the Java runtime that allows an attacker to bypass signature verification in widely-used ECDSA. POCs exploiting the vulnerability show how, for example, to impersonate Google as a TLS server.

Cryptosense Analyzer Platform already reports use of vulnerable Java provider versions, but to help prioritize patching, we wanted to help our users understand which of their applications are using the ECDSA functionality that was found to be vulnerable, and doing it with a vulnerable provider. The result is a new rule in Cryptosense Analyzer Platform as you can see in the screenshot below.

To detect vulnerability to CVE-2022-21449 in your applications, you can try Cryptosense for free in SaaS or get in touch to find out about on-prem options.