CVE-2022-21449 is identified as a high risk. Can you please check and confirm if this has impact on Advanced Authentication product?
Release : Advanced Authentication 9.1 (Applicable to all the supported releases)
Component : Strong Authentication and Risk Authentication
The bug only impacts Java 15 and above. The original advisory from Oracle incorrectly listed earlier versions (like 7, 8 and 11) as being impacted. They have since corrected this. Note that they now only list 17 and 18, because 15 and 16 are no longer supported.
Bouncy Castle is not impacted by this vulnerability. They have their own ECDSA implementation, and it performs the relevant check to prevent this bug.
Advanced Authentication components ( Strong Auth and Risk Auth) are not vulnerable because of the above reason.