Mark,
On 4/29/22 18:17, Mark Thomas wrote:
On 29/04/2022 19:41, Christopher Schultz wrote:
1. The underlying JVM is affected
2. A Connector is defined with uses mutual TLS
3. The client's key is ECDSA
I was thinking that on startup, we could check for a vulnerable
environment and simply
пт, 29 апр. 2022 г. в 21:41, Christopher Schultz :
>
> All,
>
> CVE-2022-21449 is a bug in the JDK which allows a malicious signer using
> ECDSA to forge a signature which an affected (buggy) verifier fails to
> detect.
>
> I used deliberate language above instead of "client" and "server"
> because
Hi
Openj9 is not affected I think so version wouldnt be enough, jvm name
should be tested too.
Le sam. 30 avr. 2022 à 00:18, Mark Thomas a écrit :
> On 29/04/2022 19:41, Christopher Schultz wrote:
>
>
>
> > 1. The underlying JVM is affected
> > 2. A Connector is defined with uses mutual TLS
>
On 29/04/2022 19:41, Christopher Schultz wrote:
1. The underlying JVM is affected
2. A Connector is defined with uses mutual TLS
3. The client's key is ECDSA
I was thinking that on startup, we could check for a vulnerable
environment and simply refuse to start the server.
If there are n
> Subject: Tomcat mitigations for CVE-2022-21449
>
> All,
>
> CVE-2022-21449 is a bug in the JDK which allows a malicious signer using
> ECDSA to forge a signature which an affected (buggy) verifier fails to detect.
>
> I used deliberate language above instead of "client" a
All,
CVE-2022-21449 is a bug in the JDK which allows a malicious signer using
ECDSA to forge a signature which an affected (buggy) verifier fails to
detect.
I used deliberate language above instead of "client" and "server"
because in many csases, the server is performing verification as well
