PT-2021-22965 · Amazon · Aws Iot Device Sdk V2 For Python+4
F-Secure
·
Published
2021-11-22
·
Updated
2021-12-02
·
CVE-2021-40829
CVSS v3.1
8.8
High
| Vector | AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AWS IoT Device SDK v2 for Java versions prior to 1.4.2
AWS IoT Device SDK v2 for Python versions prior to 1.6.1
AWS IoT Device SDK v2 for C++ versions prior to 1.12.7
AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3
AWS-C-IO version 0.10.4
Description
Connections initialized by the AWS IoT Device SDK v2 did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward.
Recommendations
For AWS IoT Device SDK v2 for Java versions prior to 1.4.2, update to version 1.4.2 or later.
For AWS IoT Device SDK v2 for Python versions prior to 1.6.1, update to version 1.6.1 or later.
For AWS IoT Device SDK v2 for C++ versions prior to 1.12.7, update to version 1.12.7 or later.
For AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3, update to version 1.5.3 or later.
For AWS-C-IO version 0.10.4, update to version 0.10.5 or later.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Aws Iot Device Sdk V2 For C++
Aws Iot Device Sdk V2 For Java
Aws Iot Device Sdk V2 For Node.Js
Aws Iot Device Sdk V2 For Python
Aws-C-Io