Test whether your java version is safe for CVE-2022-21449

Readme.md

how to run java 11+ JEP-330

on the command line

java CVETester.java

in a docker container (without editors)

cat > CVETester.java

Then copy paste the java code from CVETester.java. After paste enter ctrl+d, the file CVETester.java should have the same contents. Then you can run:

java CVETester.java

CVETester.java

import java.security.*;

public class CVETester {
    public static void main(String... args) throws Exception {
        var keys = KeyPairGenerator.getInstance("EC").generateKeyPair();
        var blankSignature = new byte[64];
        var sig = Signature.getInstance("SHA256WithECDSAInP1363Format");

        sig.initVerify(keys.getPublic());
        sig.update("Some random text to be encrypted".getBytes());
        var result = sig.verify(blankSignature);

        System.out.println("Java is vulnerable for Psychic Signatures bug [CVE-2022-21449]: " + result);
    }
}

Thanks JFROG! https://jfrog.com/blog/cve-2022-21449-psychic-signatures-analyzing-the-new-java-crypto-vulnerability/