Mark,
On 4/29/22 18:17, Mark Thomas wrote:
On 29/04/2022 19:41, Christopher Schultz wrote:
1. The underlying JVM is affected
2. A Connector is defined with uses mutual TLS
3. The client's key is ECDSA
I was thinking that on startup, we could check for a vulnerable
environment and simply
пт, 29 апр. 2022 г. в 21:41, Christopher Schultz :
>
> All,
>
> CVE-2022-21449 is a bug in the JDK which allows a malicious signer using
> ECDSA to forge a signature which an affected (buggy) verifier fails to
> detect.
>
> I used deliberate language above instead of "client" and "server"
> because
Hi
Openj9 is not affected I think so version wouldnt be enough, jvm name
should be tested too.
Le sam. 30 avr. 2022 à 00:18, Mark Thomas a écrit :
> On 29/04/2022 19:41, Christopher Schultz wrote:
>
>
>
> > 1. The underlying JVM is affected
> > 2. A Connector is defined with uses mutual TLS
>
On 29/04/2022 19:41, Christopher Schultz wrote:
1. The underlying JVM is affected
2. A Connector is defined with uses mutual TLS
3. The client's key is ECDSA
I was thinking that on startup, we could check for a vulnerable
environment and simply refuse to start the server.
If there are n
Personally I like this approach. I would suggest putting a descriptive error
description in the logs if this is detected and startup is aborted. From an
environment where curtailing vulnerabilities is key, regardless of the source,
this is truly a Martha Stuart moment. It's a good thing. :-)
Th
