CVE-2024-10125: 
C# vulnerability analysis and mitigation

The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repository contains Middleware used with the Application Load Balancer (ALB) OpenId Connect integration for ASP.NET Core deployments. This vulnerability (CVE-2024-10125) was discovered and disclosed on October 21, 2024, affecting all versions of the middleware. The vulnerability impacts deployments across various AWS services including Fargate, EKS, ECS, EC2, and Lambda (AWS Security Bulletin).

The vulnerability stems from a failure in JWT handling code where, although signature validation is performed, it fails to properly validate both the JWT issuer and signer identity. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N, indicating a network-accessible vulnerability requiring no privileges or user interaction (GitHub Advisory).

When combined with a configuration where infrastructure allows internet traffic to ALB targets (though not recommended), this vulnerability enables attackers to sign JWTs with untrusted entities and potentially mimic valid OIDC-federated sessions to the ALB targets. This could lead to unauthorized access to protected resources (AWS Security Bulletin).

The repository and package have been deprecated and marked as End of Life, with no active support. As workarounds, AWS recommends ensuring ELB targets (EC2 Instances, Fargate Tasks, etc.) do not have public IP addresses. For any forked or derivative code, it's crucial to validate that the signer attribute in the JWT matches the ARN of the Application Load Balancer that the service is configured to use (AWS Security Bulletin).

The vulnerability was responsibly disclosed through collaboration between Miggo Security and AWS through their coordinated disclosure process (AWS Security Bulletin).