CVE-2021-20328

Name of the Vulnerable Software and Affected Versions: Java driver versions that support client-side field level encryption (CSFLE)

Description: The issue arises from the Java driver's failure to perform correct host name verification on the KMS server's certificate, which, in combination with a privileged network position active MITM attack, could result in interception of traffic between the Java driver and the KMS service. This renders Field Level Encryption ineffective. The Java async, Scala, and reactive streams drivers are not impacted. Additionally, this issue does not affect driver traffic payloads with CSFLE-supported key services originating from applications inside the AWS, GCP, and Azure network fabrics due to existing controls in these environments. It also does not impact driver workloads that do not use Field Level Encryption.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.