I'm not really sure yet to what extent widely used Clojure libaries are impacted by this, but I do see that buddy uses some of the affected classes. If you're using buddy, especially with JWT, I would not wait to upgrade. In general if you're running an app exposed to the internet I would not wait to upgrade.

Note that this impacts Java 15 and later, if you're still on 8 or 11 (as many are) then you are not currently vulnerable.

Not all of the JDK providers have updated binaries yet...

temurin is in progress https://github.com/adoptium/adoptium/issues/139

you can track it per platform here https://github.com/adoptium/adoptium/issues/140

I played with it a bit here: https://github.com/jumarko/clojure-experiments/blob/master/src/clojure_experiments/security/signing.clj#L1 I wasn't able to reproduce the problem when using buddy-sign but that's probably just because of the lack of skill. As others said, I wouldn't wait with the upgrade.

The Temurin Build and Release Process is really taking its time 😕

@U06BE1L6T buddy uses bouncy castle which isn't vulnerable to this

👍

That's for buddy-hashers, how about buddy-sign?

:ecdsa+sha256         #(Signature/getInstance "SHA256withECDSA" "BC")
   :ecdsa+sha256         #(Signature/getInstance "SHA256withECDSA" "BC")
   :ecdsa+sha384         #(Signature/getInstance "SHA384withECDSA" "BC")
   :ecdsa+sha512         #(Signature/getInstance "SHA512withECDSA" "BC")
   :ecdsa+sha384         #(Signature/getInstance "SHA384withECDSA" "BC")
   :ecdsa+sha512         #(Signature/getInstance "SHA512withECDSA" "BC")

Thanks plexus, a good reminder to not to accept quick answers without checking 🙂 It may still be that buddy isn't vulnerable at all but I wouldn't trust myself to claim that.

yeah same here, I have not dug deep enough to confirm that it's vulnerable or not, but at a cursory glance it could be