ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CVE-2022-21449 impact on CA Risk Auth and CA Strong Auth

book

Article ID: 240516

calendar_today

Updated On:

Products

CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Risk Authentication CA Strong Authentication

Issue/Introduction

We've recently come across CVE-2022-21449 which is of very high risk. Can you please check and confirm if this has impact on any of the Broadcom products?

CA Risk Auth and CA Strong Auth

Environment

Release : 9.1

Component : Strong Authentication

Risk Authentication

Resolution

The bug only impacts Java 15 and above. The original advisory from Oracle incorrectly listed earlier versions (like 7, 8 and 11) as being impacted. They have since corrected this. Note that they now only list 17 and 18, because 15 and 16 are no longer supported.

Bouncy Castle is not impacted by this vulnerability. They have their own ECDSA implementation, and it performs the relevant check to prevent this bug.

Advanced Authentication components ( Strong Auth and Risk Auth) are not vulnerable because of the above reason.