CVE-2022-21449

HIGH LAB

Azul Zulu - Unauthenticated Data Manipulation via Multiple Protocols

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 13 public exploits for CVE-2022-21449. PoCs published by notkmhn, jfrog, thack1.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2022-21449, demonstrating a TLS signature validation bypass in Java. The PoC includes a modified Go TLS server that presents invalid ECDSA signatures (r = s = 0) and a vulnerable Java client that accepts them.

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Exploits (13)

nomisec WORKING POC 123 stars
by notkmhn · poc
https://github.com/notkmhn/CVE-2022-21449-TLS-PoC

This repository contains a proof-of-concept for CVE-2022-21449, demonstrating a TLS signature validation bypass in Java. The PoC includes a modified Go TLS server that presents invalid ECDSA signatures (r = s = 0) and a vulnerable Java client that accepts them.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Java applications using TLS with ECDSA certificates
No auth needed
Prerequisites: A vulnerable Java client · Modified Go TLS server with invalid signature generation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 37 stars
by jfrog · poc
https://github.com/jfrog/jfrog-CVE-2022-21449

This repository contains a Python script and a Bash script to scan Java archives (JAR, WAR, etc.) for the presence of the 'withECDSA' string, indicating potential vulnerability to CVE-2022-21449. It does not exploit the vulnerability but helps identify affected files.

Classification
Scanner 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Java applications using ECDSA
No auth needed
Prerequisites: Access to Java archives (JAR, WAR, etc.)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 5 stars
by thack1 · poc
https://github.com/thack1/CVE-2022-21449

This repository provides a Zeek script to detect exploitation attempts of CVE-2022-21449, a vulnerability in TLS clients (Java-based) where null signatures can bypass authentication. It includes installation and usage instructions, along with example output.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Java-based TLS clients (TLS 1.2 and below)
No auth needed
Prerequisites: Network traffic capture (PCAP) containing TLS handshakes
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by jmiettinen · poc
https://github.com/jmiettinen/CVE-2022-21449-vuln-test

This PoC tests for CVE-2022-21449, a vulnerability in Java's ECDSA signature verification that allows an empty signature to be accepted as valid. It generates a key pair, attempts to verify an empty signature, and reports whether the JVM is vulnerable.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Java 15, 16, 17, and 18 (prior to April 2022 CPU)
No auth needed
Prerequisites: Java runtime environment (JRE) affected by CVE-2022-21449
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by fevra-dev · poc
https://github.com/fevra-dev/ClaimJumper

This repository contains a comprehensive JWT security testing toolkit with functional exploit code for multiple CVEs, including CVE-2022-21449 (Psychic Signature). It includes modules for analyzing, cracking, forging, and exploiting JWT vulnerabilities with specific attack implementations.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: JSON Web Token (JWT) libraries and implementations
No auth needed
Prerequisites: JWT token to analyze or exploit · Python environment with dependencies
devstral-2 · analyzed Mar 10, 2026 Full analysis →
nomisec WRITEUP 1 stars
by HeyMrSalt · poc
https://github.com/HeyMrSalt/AIS3-2024-Project-D5Team

This repository is a writeup and reference collection for CVE-2022-21449, a Java cryptographic vulnerability. It includes acknowledgments, references, and links to external resources but does not contain exploit code.

Classification
Writeup 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Java (multiple versions)
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by volodymyr-hladkyi-symphony · poc
https://github.com/volodymyr-hladkyi-symphony/demo-cve-2022-21449

This repository demonstrates CVE-2022-21449, a vulnerability in Java's ECDSA signature verification that allows bypassing JWT token validation using zeroed signatures (r=0, s=0). It includes a Spring Boot application to test valid and fake JWT tokens.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Java 17 (without security patch for CVE-2022-21449)
No auth needed
Prerequisites: Java 17 without the security patch · Maven for building the project
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by AlexanderZinoni · poc
https://github.com/AlexanderZinoni/CVE-2022-21449

This repository contains a Python implementation of CVE-2022-21449, demonstrating ECDSA vulnerability exploitation with tools for elliptic curve operations, ECIES encryption, and key generation.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Java implementations of ECDSA
No auth needed
Prerequisites: Python libraries: numpy, matplotlib, PyCryptodomex
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by davwwwx · poc
https://github.com/davwwwx/CVE-2022-21449

This PoC generates a base64 signature for applications vulnerable to 'psychic signatures in Java' (CVE-2022-21449) by exploiting a flaw in JWT signature validation. It uses a modified elliptic library to create a signature that bypasses validation, demonstrating an authentication bypass vulnerability.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Applications using Java libraries for JWT signature validation (e.g., java-jwt, jjwt)
No auth needed
Prerequisites: Node.js environment · Modified elliptic library from davwwwx/elliptic
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Skipper7718 · poc
https://github.com/Skipper7718/CVE-2022-21449-showcase

This repository contains a Java-based PoC for CVE-2022-21449, demonstrating an authentication bypass vulnerability in Oracle Java SE 17.0.0. The exploit leverages a flaw in the ECDSA signature verification process, allowing arbitrary input to be accepted as valid.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Oracle Java SE 17.0.0
No auth needed
Prerequisites: Java SE 17.0.0 environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Damok82 · poc
https://github.com/Damok82/SignChecker

This PoC demonstrates CVE-2022-21449, a vulnerability in Java's ECDSA signature verification that allows for 'psychic signatures' (accepting invalid signatures). The code generates or loads an EC key pair, signs a message, and verifies both valid and attacker-provided signatures to show the flaw.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Java <= 17.0.2 (fixed in 17.0.3)
No auth needed
Prerequisites: Java environment with vulnerable version (<= 17.0.2)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by marschall · poc
https://github.com/marschall/psychic-signatures

This PoC demonstrates CVE-2022-21449, a vulnerability in Java's ECDSA signature verification where blank signatures are incorrectly validated. The test case shows that a blank signature should not be valid but may pass verification due to the flaw.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Java (multiple versions, including Java 15, 16, 17, and 18)
No auth needed
Prerequisites: Java environment with vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/28/2
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/28/3
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/28/4
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/28/5
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/28/6
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/28/7
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220429-0006/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/29/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/30/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/30/2
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/30/4
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/04/30/3
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/05/01/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/05/01/2
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/05/02/1
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2022/dsa-5128
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2022/dsa-5131

Scores

CVSS v3 7.5
EPSS 0.4668
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull coqorg/coq:8.13.2
+10 more repos

Details

Status published
Products (21)
azul/zulu 15.38
azul/zulu 17.32
azul/zulu 18.28
debian/debian_linux 10.0
debian/debian_linux 11.0
netapp/7-mode_transition_tool
netapp/active_iq_unified_manager (2 CPE variants)
netapp/cloud_insights
netapp/e-series_santricity_os_controller 11.0
netapp/e-series_santricity_storage_manager
... and 11 more
Published Apr 19, 2022
Tracked Since Feb 18, 2026