CVE-2021-41278

Name of the Vulnerable Software and Affected Versions app-functions-sdk-go versions prior to 2.1.0 app-service-configurable versions prior to 2.1.0

Description The app-functions-sdk exports an aes transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may expect due to a broken implementation. This allows attackers to decrypt messages via unspecified vectors. The broken implementation will remain in a deprecated state until it is removed in the next EdgeX major release to avoid breakage of existing software that depends on the broken implementation.

Recommendations For app-functions-sdk-go versions prior to 2.1.0, upgrade to version 2.1.0 and modify user scripts to use the new aes256 transform in place of the existing aes transform. For app-service-configurable versions prior to 2.1.0, upgrade to version 2.1.0 and modify user scripts to use the new aes256 transform in place of the existing aes transform. As a temporary workaround, consider changing the processing pipeline to use an HTTPS (TLS 1.3) endpoint to export and skip encryption.