CVE-2026-3337
MEDIUM5.9EPSS 0.04%AWS-LC has Timing Side-Channel in AES-CCM Tag Verification
描述
### Summary AWS-LC is an open-source, general-purpose cryptographic library. ### Impact Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm. Customers of AWS services do not need to take action. aws-lc-sys and aws-lc-fips-sys contain code from AWS-LC. Applications using aws-lc-sys or aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-sys or aws-lc-fips-sys. ### Impacted versions: - aws-lc-sys versions: >= 0.14.0, < 0.38.0 - aws-lc-fips-sys versions: >= v0.13.0, < 0.13.12. ### Patches The patch is included in aws-lc-sys v.0.38.0 and aws-lc-fips-sys v0.13.12. ### Workarounds In the special cases of using AES-CCM with (M=4, L=2), (M=8, L=2), or (M=16, L=2), applications can workaround this issue by using AES-CCM through the EVP AEAD API using implementations EVP_aead_aes_128_ccm_bluetooth, EVP_aead_aes_128_ccm_bluetooth_8, and, EVP_aead_aes_128_ccm_matter respectively. Otherwise, there is no workaround and applications using aws-lc-sys or aws-lc-fips-sys should upgrade to the most recent releases of aws-lc-sys or aws-lc-fips-sys. ### Resources If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the[vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue. ### Acknowledgement AWS-LC would like to thank Joshua Rogers (https://joshua.hu/) for collaborating on this issue through the coordinated vulnerability disclosure process.
受影響套件(4)
- crates.io/aws-lc-fips-sys>= 0.13.0, < 0.13.12
- crates.io/aws-lc-fips-sys>= 0.13.0, < 0.13.12
- crates.io/aws-lc-sys>= 0.14.0, < 0.38.0
- crates.io/aws-lc-sys>= 0.14.0, < 0.38.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-3337
- PATCHhttps://crates.io/crates/aws-lc-fips-sys
- PATCHhttps://crates.io/crates/aws-lc-sys
- PATCHhttps://github.com/aws/aws-lc-rs
- WEBhttps://aws.amazon.com/security/security-bulletins/2026-005-AWS
- WEBhttps://github.com/aws/aws-lc-rs/security/advisories/GHSA-65p9-r9h6-22vj
- WEBhttps://github.com/aws/aws-lc/security/advisories/GHSA-frmv-5gcm-jwxh
- WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0043.html
- WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0045.html