CVE-2024-23680: 
Java vulnerability analysis and mitigation

AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 contains a vulnerability where it incorrectly validates some invalid ECDSA signatures (NVD). The vulnerability was disclosed on January 19, 2024, affecting the AWS Encryption SDK's signature validation mechanism.

The vulnerability is related to improper verification of cryptographic signatures (CWE-347). The issue specifically affects the ECDSA signature validation process in the AWS Encryption SDK for Java. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium), with an attack vector of Network, low attack complexity, requiring no privileges or user interaction (AttackerKB).

While the vulnerability affects signature validation, there is no direct impact on the integrity of the ciphertext or decrypted plaintext. However, organizations relying on ECDSA signatures for non-repudiation may be affected. The streaming mode allows callers to stream plaintext of signed messages before ECDSA signature validation, though the SDK still uses AES-GCM encryption and verifies all plaintext before release (GitHub Advisory).

Users should upgrade to version 1.9.0 or 2.2.0 which contain fixes for this vulnerability. For customers using streaming features, it's recommended to ensure client code reads to the end of the stream before using released plaintext. A new API has been introduced for streaming unsigned messages only. Additionally, users processing ESDK messages from untrusted sources should implement the new maximum encrypted data keys parameter (GitHub Advisory).