CVE-2024-23680

CVE-2024-23680 is a medium-severity security vulnerability in com.amazonaws:aws-encryption-sdk-java (maven), affecting versions < 1.9.0. It is fixed in 1.9.0, 2.2.0.

Summary

Workarounds

None

For more information

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#digital-sigs

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x

Impact

This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages.

This update addresses an issue where certain invalid ECDSA signatures incorrectly passed validation. These signatures provide defense in depth and there is no impact on the integrity of decrypted plaintext.

This ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated. In addition to these signatures, the ESDK uses AES-GCM encryption and all plaintext is verified before being released to a caller. There is no impact on the integrity of the ciphertext or decrypted plaintext, however some callers may rely on the the ECDSA signature for non-repudiation. Without validating the ECDSA signature, an actor with trusted KMS permissions to decrypt a message may also be able to encrypt messages. This update introduces a new API for callers who wish to stream only unsigned messages.

For customers who process ESDK messages from untrusted sources, this update also introduces a new configuration to limit the number of Encrypted Data Keys (EDKs) that the ESDK will attempt to process per message. This configuration provides customers with a way to limit the number of AWS KMS Decrypt API calls that the ESDK will make per message. This setting will reject messages with more EDKs than the configured limit.

Finally, this update adds early rejection of invalid messages with certain invalid combinations of algorithm suite and header data.

Affected versions

com.amazonaws:aws-encryption-sdk-java (< 1.9.0) com.amazonaws:aws-encryption-sdk-java (>= 2.0.0, < 2.2.0)

Security releases

com.amazonaws:aws-encryption-sdk-java → 1.9.0 (maven) com.amazonaws:aws-encryption-sdk-java → 2.2.0 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fixed in versions 1.9 and 2.2. We recommend that all users upgrade to address these issues.

Customers leveraging the ESDK’s streaming features have several options to protect signature validation. One is to ensure that client code reads to the end of the stream before using released plaintext. With this release, using the new API for streaming and falling back to the non-streaming decrypt API for signed messages prevents using any plaintext from signed data before the signature is validated. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x

Users processing ESDK messages from untrusted sources should use the new maximum encrypted data keys parameter. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/about-versions.html#version2.2.x

Frequently Asked Questions

  1. What is CVE-2024-23680? CVE-2024-23680 is a medium-severity security vulnerability in com.amazonaws:aws-encryption-sdk-java (maven), affecting versions < 1.9.0. It is fixed in 1.9.0, 2.2.0.
  2. Which versions of com.amazonaws:aws-encryption-sdk-java are affected by CVE-2024-23680? com.amazonaws:aws-encryption-sdk-java (maven) versions < 1.9.0 is affected.
  3. Is there a fix for CVE-2024-23680? Yes. CVE-2024-23680 is fixed in 1.9.0, 2.2.0. Upgrade to this version or later.
  4. Is CVE-2024-23680 exploitable, and should I be worried? Whether CVE-2024-23680 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2024-23680 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2024-23680?
    • Upgrade com.amazonaws:aws-encryption-sdk-java to 1.9.0 or later
    • Upgrade com.amazonaws:aws-encryption-sdk-java to 2.2.0 or later

Other vulnerabilities in com.amazonaws:aws-encryption-sdk-java

Stop the waste.
Protect your environment with Kodem.