GHSA-72fp-w44g-625q: 
Java vulnerability analysis and mitigation

A low severity vulnerability was identified in the AWS Database Encryption SDK (DB-ESDK) for DynamoDB, tracked as GHSA-72fp-w44g-625q. The issue affects versions 3.0.0 through 3.1.0 of the aws-database-encryption-sdk-dynamodb Maven package and was disclosed on November 8, 2023. The vulnerability specifically impacts DynamoDB Set attributes that are marked as SIGN_ONLY, including Sets that are part of Lists or Maps (GitHub Advisory).

The vulnerability occurs when a Set type is assigned a SIGN_ONLY attribute action in the DB-ESDK for DynamoDB. The core issue lies in the signature validation process, where records containing Sets may fail validation during read operations, even when the Set attributes contain identical values. This failure probability is dependent on the element order within the Set and DynamoDB's undefined data return behavior (GitHub Release).

The primary impact of this vulnerability is the potential failure of signature validation when reading records containing Sets marked as SIGN_ONLY. This can affect system functionality and data access, even when the Set attributes contain the same values, due to the undefined ordering behavior of DynamoDB (GitHub Advisory).

The vulnerability has been patched in version 3.1.1 of the AWS Database Encryption SDK for DynamoDB. The fix ensures that Set values are canonicalized in the same order during both write operations to DynamoDB and read operations from DynamoDB. Users are strongly recommended to upgrade to version 3.1.1 as soon as possible, as no alternative workarounds are available (GitHub Release).