Bug 1869800 (CVE-2020-8911)
| Summary: | CVE-2020-8911 aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agarcial, aileenc, amasferr, anpicker, aos-bugs, aos-storage-staff, bbennett, bbrownin, bibryam, bmontgom, chazlett, dgoodwin, dmace, drieden, dwhatley, dymurray, eparis, eric.wittmann, erooth, fpokorny, ganandan, ggaughan, gmalinko, go-sig, gparvin, hchiramm, hvyas, ibolton, janstey, jburrell, jchaloup, jmatthew, jmmahler, jmontleo, jochrist, jokerman, jramanat, jweiser, jwon, kconner, krathod, lcosic, madam, maszulik, mcressma, mfojtik, mrunge, nstielau, obulatov, pantinor, rcernich, rhs-bugs, rrajasek, rtalur, sbatsche, sd-operator-metering, sfowler, shurley, slucidi, sponnaga, sseago, stcannon, sttts, surbania, tfister, tflannag, thee |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | github.com/aws/aws-sdk-go v1.34.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the AWS S3 Crypto SDK that allows users to encrypt files stored in S3 buckets with AES-CBC, without computing a MAC on the data. This allows for a padding oracle, enabling attackers with both write access to the target S3 bucket and the ability to observe the result of valid decryption attempts to potentially recover original plaintext. This is not an issue if files in S3 buckets are not encrypted with CBC mode, which is disabled in V2 of the AWS S3 Crypto SDK.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-14 08:08:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1870497, 1872516 | ||
| Bug Blocks: | 1869804 | ||
|
Description
Michael Kaplan
2020-08-18 16:56:39 UTC
External References: https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9 https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09 On closer inspection it appears that the service/s3/s3crypto subpath of the aws/aws-sdk-go package is not used in any CAM containers making them unaffected. Latest related upstream fix is in version 1.34.0: https://github.com/aws/aws-sdk-go/commit/12ff57a16373dda5a0c22eafdf0fa1c4c224f7c4 Statement: The following products include components that use the AWS SDK (aws/aws-sdk-go), however they do not include code that encrypts or decrypts files in S3 buckets (aws/aws-sdk-go/service/s3/s3crypto). The below products are not affected by this flaw: * Red Hat Cluster Application Migration * Red Hat OpenShift Container Platform * Red Hat OpenShift ServiceMesh * Red Hat OpenShift Container Storage * Red Hat Ceph Storage * Red Hat Gluster Storage This issue has been addressed in the following products: 3scale API Management Via RHSA-2021:3851 https://access.redhat.com/errata/RHSA-2021:3851 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8911 |