Critical vulnerabilities in TLS implementation for Java


In January and April 2014, Oracle has released critical Java software security updates. They resolve, amongst others, three vulnerabilities discovered by researchers from the Horst Görtz Institute for IT Security at the Ruhr-Universität Bochum. These vulnerabilities affect the “Java Secure Socket Extension” (JSSE), a software library implementing the “Transport Layer Security” protocol (TLS). TLS is used to encrypt sensitive information transferred between browsers and web servers, such as passwords and credit card data, for example.

Similar to Heartbleed

Recently, the Heartbleed vulnerability of OpenSSL, the most important TLS implementation, has hit the headlines. Like OpenSSL, JSSE is an open source TLS implementation, maintained by Oracle. The researchers discovered three weaknesses in the JSSE library, two of which could be used to completely break the security of TLS encryption. Following the “responsible disclosure” paradigm, the team of Prof Dr Jörg Schwenk privately informed Oracle about these vulnerabilities prior to public announcement. The researchers recommend to install Oracle’s software updates for applications using JSSE as soon as possible.

How to break TLS in JSSE

JSSE was found vulnerable to so-called “Bleichenbacher attacks.” First, the researchers intercepted an encrypted communication between a client (e.g. a web browser) and a server. Then, they sent a few thousands requests to the server; by examining the responses of the server they could compute the secret session key. This session key can be used to decrypt all data exchanged between client and server. The first vulnerability was based on critical information that the TLS server transmitted via error messages. The second one was based on different response times of the JSSE server. Bleichenbacher attacks are complex cryptographic attacks, also referred to as adaptive chosen-ciphertext attacks.

April patch from Oracle solves another problem

The April patch provided by Oracle also fixes another cryptographic algorithm (PKCS#1 v2.1, aka RSA-OAEP), which was vulnerable to a different adaptive chosen-ciphertext attack. This algorithm is not used in TLS, but in other security-critical applications, such as Web Services, for instance.