Java JDK Security Advisory #202109

Last updated Apr 13, 2023

ForgeRock are aware of a serious vulnerability in the implementation of certain cryptographic operations in Java® JDK versions 15 and later: CVE-2022-21449. This vulnerability affects Oracle® Java and OpenJDK, including other JDKs derived from OpenJDK. You should follow the advice in this advisory to secure your deployments at the earliest opportunity.

Archived

This article has been archived and is no longer maintained by ForgeRock.

Identity Cloud customers

This advisory does not apply to the ForgeRock Identity Cloud. This advisory only applies to software deployments of the ForgeRock Identity Platform.

November 18, 2021

ForgeRock are aware of a serious vulnerability (CVE-2022-21449) in the implementation of certain cryptographic operations in Java JDK versions 15 and later. This vulnerability affects Oracle Java and OpenJDK, including other JDKs derived from OpenJDK. ForgeRock have informed the OpenJDK vulnerability team about the issue and a fix is being worked on. Until a fix is ready from your JDK vendor, ForgeRock advises our customers not to deploy to production with any affected versions of Java.

April 20, 2022: Oracle have issued a Critical Patch Update Advisory, which fixes this vulnerability.

As this is a bug in the Java runtime environment, ForgeRock is not able to offer patches. We recommend following the advice or workarounds in this advisory.

Note

ForgeRock supports customers using Java 8 and 11. Other versions might work as well; in which case you should note the suggested Bouncy Castle workaround. However, when opening a support ticket for an issue, please make sure you can also reproduce the problem on a supported Java version.

Workarounds

You can secure your deployments using one of the following two options:

Option 1: Deploy ForgeRock products with Java 11 only. This is the preferred solution. Java 11 is the only long-term supported (LTS) Java version supported for most ForgeRock products.
- AM: Java Requirements
- IG: Java
- DS: Java
- IDM: Before You Install
- Java Agents: Java Requirements
- Autonomous Identity: Java Requirements
Option 2: Configure your JVM to use Bouncy Castle as the preferred cryptographic provider as these libraries are not vulnerable. You will need to ensure the corresponding JCE provider JAR is installed and then configure it as the preferred provider in the java.security file (this can be found in the $JAVA_HOME directory; the exact path varies by version but a common location is $JAVA_HOME/conf/security).

Setting up Bouncy Castle Example (Applies only to Option 2)

Download the latest bcprov-ext-jdk15on-xxx.jar and bcprov-jdk15on-xxx.jar files from Bouncy Castle if needed; they are listed in the SIGNED JAR FILES section.
Copy these two jar files to a directory that the JVM searches.
Ensure the file permissions for these two jar files are set to allow them to be read.
Update the list of security providers in the JVM to put Bouncy Castle first and then renumber the other security providers to follow. This list is set in the java.security text file. The security provider list should now look similar to this: security.provider.1=BC|org.bouncycastle.jce.provider.BouncyCastleProvider security.provider.2=SUN [...]This step is recommended by Bouncy Castle and you can read more about it here: The Legion of the Bouncy Castle - Specifications.
Save this file and restart the relevant ForgeRock product.

See Configure the Provider for further information.

Change Log

The following table tracks changes to the advisory:

Date	Description
April 13, 2023	Archived article
April 20, 2022	Added CVE and link to Oracle Critical Patch Update Advisory
November 18, 2021	Initial release

Content Center