CVE-2020-8897— Robustness weakness in AWS KMS and Encryption SDKs

Robustness weakness in AWS KMS and Encryption SDKs

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

加密问题

Amazon AWS Encryption SDK 加密问题漏洞

Amazon AWS Encryption SDK是美国亚马逊（Amazon）公司的一个应用于加密的开发工具包。 AWS Encryption SDK存在安全漏洞，该漏洞源于SDK使用了AES-GCM（以及其他AEAD密码，例如AES-GCM-SIV或（X）ChaCha20Poly1305）的非提交属性来加密消息，攻击者可以制作独特的密文，该密文将解密为多个不同的密文。以下产品及版本受到影响：Java, Python, C and Javalcript SDK 2.0.0版本之前。

N/A

N/A