Improper Authorization Affecting com.amazonaws:aws-dynamodb-encryption-java package, versions [,1.15.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
9 Feb 2021
8 Feb 2021
How to fix?
com.amazonaws:aws-dynamodb-encryption-java to version 1.15.0 or higher.
com.amazonaws:aws-dynamodb-encryption-java is a package that supports encryption and signing of your data when stored in Amazon DynamoDB.
Affected versions of this package are vulnerable to Improper Authorization. This concerns users of
MostRecentProvider in the DynamoDB Encryption Client with a key provider like AWS Key Management Service that allows for permissions on keys to be modified.
When key usage permissions are changed at the key provider, time-based key reauthorization logic in
MostRecentProvider does not reauthorize the use of the key. This creates the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked at the key provider.
Users who cannot upgrade to use the
CachingMostRecentProvider can call
clear() on the cache to manually flush all of its contents. Next use of the key will force a re-validation to occur with the key provider.