ThreatX SOC Vulnerability Alert: CVE-2022-21449 “Psychic Signatures”

PUBLISHED ON April 28, 2022
LAST UPDATED Apr 28, 2022

Earlier this week, the ThreatX SOC deployed a rule to protect our client base from a newly discovered vulnerability in Java – CVE-2022-21449, known as “Psychic Signatures.” This rule detects and blocks attempts to use an empty signature for JWT-based authorization.  

What Is Psychic Signatures 

CVE-2022-21449 (“Psychic Signatures”) in Java is a vulnerability that impacts ECDSA signatures in Java versions 15 to 18. Although just discovered on April 19, 2022, the bug was introduced in Java version 15 when cryptographic libraries formerly written in native C++ were rewritten in Java. The vulnerability stems from the lack of a simple check to verify that values within the ECDSA equation are non-zero. Without this check an attacker may be able to bypass authentication entirely. Oracle released fixes for this issue for supported Java versions 17 and 18. 

How Dangerous Is It 

Classified by the NVD as high severity, this vulnerability allows a malicious server to forge SSL certificates and handshakes, compromising integrity in cases where ECDSA signatures are used for validation. It also impacts signed JWTs, SAML assertions, OIDC id tokens, and WebAuthn authentication messages when ECDSA signatures are used. 

With this vulnerability, a malicious actor could use a null signature to obtain improper verification by setting values to zero. Ultimately, it compromises any security mechanism that relies on the Java implementation of ECDSA signatures. 

How to Respond 

If you are running Java versions 15 or later, make sure to apply the latest security updates released by Oracle. 

For More Details 

From the NVD: 

From Oracle: 

Contact ThreatX: 


About the Author

Michael Napolitano

Michael is a SOC Analyst currently working in the ThreatX Security Operations Center and is based out of the Tri-State Area. Michael has prior experience as a cyber incident responder with a focus in forensics. Michael holds a Bachelor's Degree in Computer Science from Northeastern University. Michael's interests include scripting/automation and cyber security education. Outside of work, Michael enjoys playing card games and following New York sports.