As well as supplying Cryptosense Analyzer to our customers so they can test their applications, we frequently apply the tool ourselves to widely-used open source software including the Java JDK. The Oracle Critical Patch Update (CPU) of 17th October contained patches for two CVEs discovered at Cryptosense in collaboration with our partners at University of Venice Ca’ Foscari.
The first issue was weak password-based cryptography discovered in the keystores provided in OpenJDK and Oracle Hotspot Java. Regular blog readers will have already seen our articles on the weak (SHA-1 + XOR) encryption in the JKS (the default keystore type up to and including Java 8) and the 20-iteration key derivation in the JCEKS store (NIST recommended minimum is 10000 iterations). The PKCS#12 keystore also uses a low number of iterations (1024). These issues are easily detected by our Analyzer, which traces all calls to the Java crypto interface, including internal calls from standard libraries.
The October 2017 CPU contained patches for some of these problems. The default number of iterations for PKCS#12 is 50 000, and for JCEKS it’s now 200 000. The JKS keystore is unfortunately still very weak but now creating such a keystore using the command-line keytool produces a warning.
Cryptosense Analyzer already detected these vulnerabilities including calculating exactly how strong a keystore’s encryption is for a given password, but our rules can now also suggest an easy remediation for the PKCS#12 and JCEKS case (apply the new patch). The Analyzer will continue to warn when JKS keystores are used inside applications.
And the second CVE?
This will stay under wraps until the paper describing the work is published – it has just been accepted for presentation at the Network and Distributed System Security Symposium (NDSS) in San Diego in February 2018.
Update March 2018 The paper has been published and details fo the second CVE, which allows for arbitrary code execution via a deserialization bug in JCEKS keystores, has been revealed. Get more details in the paper
Meanwhile to find more issues in Java cryptography you can try our Analyzer.