search cancel

CVE-2022-21449 impact on CA Risk Auth and CA Strong Auth


Article ID: 240516


Updated On:


CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Risk Authentication CA Strong Authentication


We've recently come across CVE-2022-21449 which is of very high risk. Can you please check and confirm if this has impact on any of the Broadcom products?

CA Risk Auth and CA Strong Auth


Release : 9.1

Component : Strong Authentication

Risk Authentication


The bug only impacts Java 15 and above. The original advisory from Oracle incorrectly listed earlier versions (like 7, 8 and 11) as being impacted. They have since corrected this. Note that they now only list 17 and 18, because 15 and 16 are no longer supported.

Bouncy Castle is not impacted by this vulnerability. They have their own ECDSA implementation, and it performs the relevant check to prevent this bug.

Advanced Authentication components ( Strong Auth and Risk Auth) are not vulnerable because of the above reason.