Aws Libcrypto
Monthly
PKCS7 signature validation bypass in AWS-LC allows unauthenticated attackers to forge valid signatures on PKCS7 objects containing Authenticated Attributes, potentially enabling malicious code execution or data tampering in applications relying on this cryptographic library. Applications using AWS-LC should immediately upgrade to version 1.69.0, while AWS service customers are not directly impacted. The vulnerability has a CVSS score of 7.5 and currently has no public exploits reported.
Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.
AWS-LC's PKCS7_verify() function fails to properly validate certificate chains in multi-signer scenarios, allowing unauthenticated attackers to forge signatures by bypassing verification of all but the final signer. This affects applications directly using AWS-LC library, though AWS service customers are unaffected. Users should upgrade to AWS-LC version 1.69.0 or later to remediate the vulnerability.
PKCS7 signature validation bypass in AWS-LC allows unauthenticated attackers to forge valid signatures on PKCS7 objects containing Authenticated Attributes, potentially enabling malicious code execution or data tampering in applications relying on this cryptographic library. Applications using AWS-LC should immediately upgrade to version 1.69.0, while AWS service customers are not directly impacted. The vulnerability has a CVSS score of 7.5 and currently has no public exploits reported.
Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.
AWS-LC's PKCS7_verify() function fails to properly validate certificate chains in multi-signer scenarios, allowing unauthenticated attackers to forge signatures by bypassing verification of all but the final signer. This affects applications directly using AWS-LC library, though AWS service customers are unaffected. Users should upgrade to AWS-LC version 1.69.0 or later to remediate the vulnerability.