Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-55xh-53m6-936r. This link is maintained to preserve external references. Original Description AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their …
This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This update addresses an issue where certain invalid ECDSA signatures incorrectly passed validation. These signatures provide defense in depth and there is no impact on the integrity of decrypted plaintext. This ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is …
This advisory duplicates another.