smallrye-jwt and Java ECDSA Signature Vulnerability

[Sergey Beryozkin]

Hi

We prepared a message to the Quarkus community last week about the Java 17/18 ECDSA Signature Vulnerability:

https://github.com/quarkusio/quarkus/discussions/25252

but I've realized now that not all smallrye-jwt users are Quarkus users.

There was a smallrye-jwt issue opened a while back to support ECDSA signature verification, MP JW 1.2 now formally supports such signatures, so I think there is a high chance some applications using smallrye-jwt depend on such signatures.

So if you are one of the users who work with JWT tokens signed using an ES256 algorithm and use Java 17/18 then please make sure your JDK is patched with the latest April 2022 patch, see

https://github.com/quarkusio/quarkus/discussions/25252

for more details

Thanks, Sergey