Bug 2156700 (CVE-2022-2582)

Summary: CVE-2022-2582 aws-sdk-go: Unencrypted md5 plaintext hash in metadata in AWS S3 Crypto SDK for golang
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: aws-sdk-go 1.34.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-29 04:32:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2156701, 2156702    
Bug Blocks:    

Description Avinash Hanwate 2022-12-28 08:20:01 UTC 
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.

https://github.com/aws/aws-sdk-go/commit/35fa6ddf45c061e0f08d3a3b5119f8f4da38f6d1
https://pkg.go.dev/vuln/GO-2022-0391
Comment 1 Avinash Hanwate 2022-12-28 08:24:53 UTC 
Created golang-github-aws-aws-sdk-go tracking bugs for this issue:

Affects: epel-7 [bug 2156701]


Created golang-github-aws-sdk tracking bugs for this issue:

Affects: fedora-36 [bug 2156702]
Comment 2 Product Security DevOps Team 2022-12-29 04:32:20 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.