Summary
AWS-LC is an open-source, general-purpose cryptographic library.
Impact
A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to the most recent release of AWS-LC.
Impacted versions:
- AWS-LC >= v1.24.0, < v1.71.0
- AWS-LC-FIPS >=3.0.0, < 3.3.0
Patches
The patch is included in AWS-LC v1.71.0, AWS-LC-FIPS-3.3.0.
Workarounds
Applications can workaround this issue if they do not enable CRL checking (X509_V_FLAG_CRL_CHECK). Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected.
Otherwise, there is no workaround and applications using AWS-LC should upgrade to the most recent releases of AWS-LC.
References
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Summary
AWS-LC is an open-source, general-purpose cryptographic library.
Impact
A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to the most recent release of AWS-LC.
Impacted versions:
Patches
The patch is included in AWS-LC v1.71.0, AWS-LC-FIPS-3.3.0.
Workarounds
Applications can workaround this issue if they do not enable CRL checking (
X509_V_FLAG_CRL_CHECK). Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected.Otherwise, there is no workaround and applications using AWS-LC should upgrade to the most recent releases of AWS-LC.
References
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.