Announcement!
This is a notification for product news or an alert. If you have a question, please start a new discussion

Advisory: Sage CRM NOT impacted by CVE-2022-21449 vulnerability

CVE-2022-21449 is known as the “Psychic Signatures” Vulnerability in Java.

This security vulnerability originates in an improper implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) signature verification algorithm within Java. This vulnerability allows an attacker to potentially intercept communication and messages that should have otherwise been encrypted. This may be SSL handshakes, signatures, certificates, etc., should they be using ECDSA.

The only supported Java versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18;
Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2

Please note that this is not one of the versions of Oracle Java SE that is implemented within Sage CRM.

e.g.

Sage CRM 2018 R2 uses Java SE 8u92
Sage 2021 R2 uses Java SE 8u152.

We will cover in another article how to separately upgrade the Java SE version used in Sage CRM to provide reassurance of how manual mitigation can be used if another Java vulnerability is identified.

See:  https://www.sagecity.com/sage-global-solutions/sage-crm/b/sage-crm-hints-tips-and-tricks/posts/how-to-manually-upgrade-the-java-runtime-environment-jre-version-used-by-sage-crm

This applies to Sage CRM stand-alone and when integrated with Sage accounting products. Sage 50, Sage 100, Sage 200, Sage 1000, Sage 300, Sage X3 and Sage Intacct.

Links