GHSA-72FP-W44G-625Q

Vulnerability from github – Published: 2023-11-09 16:02 – Updated: 2023-11-09 16:02
VLAI
Summary
Signing DynamoDB Sets when using the AWS Database Encryption SDK.
Details

Impact

This advisory addresses an issue when a DynamoDB Set attribute is marked as SIGN_ONLY in the AWS Database Encryption SDK (DB-ESDK) for DynamoDB. This also includes when a Set is part of a List or a Map.

DB-ESDK for DynamoDB supports SIGN_ONLY and ENCRYPT_AND_SIGN attribute actions. In version 3.1.0 and below, when a Set type is assigned a SIGN_ONLY attribute action, there is a chance that signature validation of the record containing a Set will fail on read, even if the Set attributes contain the same values. The probability of a failure depends on the order of the elements in the Set combined with how DynamoDB returns this data, which is undefined.

This update addresses the issue by ensuring that any Set values are canonicalized in the same order while written to DynamoDB as when read back from DynamoDB.

Patches

Fixed in version 3.1.1 We recommend all users upgrade as soon as possible.

Workarounds

None

References

For more information on how to address records with Sets marked as SIGN_ONLY written by versions 3.1.0 and below of DB-ESDK, see AWS Database Encryption SDK Decrypt with Permute

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "software.amazon.cryptography:aws-database-encryption-sdk-dynamodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-09T16:02:51Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nThis advisory addresses an issue when a DynamoDB Set attribute is marked as SIGN_ONLY in the AWS Database Encryption SDK (DB-ESDK) for DynamoDB. This also includes when a Set is part of a List or a Map.\n\nDB-ESDK for DynamoDB supports `SIGN_ONLY` and `ENCRYPT_AND_SIGN` attribute actions. In version 3.1.0 and below, when a Set type is assigned a `SIGN_ONLY` attribute action, there is a chance that signature validation of the record containing a Set will fail on read, even if the Set attributes contain the same values. The probability of a failure depends on the order of the elements in the Set combined with how DynamoDB returns this data, which is undefined.\n\nThis update addresses the issue by ensuring that any Set values are canonicalized in the same order while written to DynamoDB as when read back from DynamoDB.\n\n### Patches\nFixed in version 3.1.1 \nWe recommend all users upgrade as soon as possible.\n\n### Workarounds\nNone\n\n### References\nFor more information on how to address records with Sets marked as `SIGN_ONLY` written by versions 3.1.0 and below of DB-ESDK, see [AWS Database Encryption SDK Decrypt with Permute](https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/tree/v3.1.1/DecryptWithPermute)",
  "id": "GHSA-72fp-w44g-625q",
  "modified": "2023-11-09T16:02:51Z",
  "published": "2023-11-09T16:02:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/security/advisories/GHSA-72fp-w44g-625q"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/commit/e3aa016895a3e2533b9a3c1ec88458d6667b3245"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/aws-database-encryption-sdk-dynamodb-java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/releases/tag/v3.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Signing DynamoDB Sets when using the AWS Database Encryption SDK."
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.