Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN252
_____________________________________________________________________

DATE                : 04/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running AWS-LC versions prior to 1.69.0,
                      aws-lc-sys versions prior to 0.38.0,
                      AWS-LC-FIPS versions prior to 3.2.0,
                      aws-lc-sys-fips versions prior to 0.13.12.

=====================================================================
https://aws.amazon.com/fr/security/security-bulletins/rss/2026-005-aws/
_____________________________________________________________________


Issue with AWS-LC: an open-source, general-purpose cryptographic
library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)
Posted on: Mar 2, 2026

Bulletin ID: 2026-005-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 03/02/2026 13:15 PM PST
 

We identified following CVEs:

    CVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass
in AWS-LC
    CVE-2026-3337: Timing Side-Channel in AES-CCM Tag Verification
in AWS-LC
    CVE-2026-3338: PKCS7_verify Signature Validation bypass in
AWS-LC


Description:

AWS-LC is an open-source, general-purpose cryptographic library. We
identified three distinct issues:

    CVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass
in AWS-LC
    Improper certificate validation in PKCS7_verify() in AWS-LC
allows an unauthenticated user to bypass certificate chain
verification when processing PKCS7 objects with multiple signers,
except the final signer.

    CVE-2026-3337: Timing Side-Channel in AES-CCM Tag Verification
in AWS-LC
    Observable timing discrepancy in AES-CCM decryption in AWS-LC
allows an unauthenticated user to potentially determine
authentication tag validity via timing analysis.

    CVE-2026-3338: PKCS7_verify Signature Validation bypass in
AWS-LC
    Improper signature validation in PKCS7_verify() in AWS-LC
allows an unauthenticated user to bypass signature verification
when processing PKCS7 objects with Authenticated Attributes.


Affected versions:

    PKCS7_verify Certificate Chain Validation Bypass in AWS-LC >= v1.41.0, < v1.69.0
    PKCS7_verify Certificate Chain Validation Bypass in aws-lc-sys >= v0.24.0, < v0.38.0
    Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= v1.21.0, < v1.69.0
    Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= AWS-LC-FIPS-3.0.0, < AWS-LC-FIPS-3.2.0
    Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys >= v0.14.0, < v0.38.0
    Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys-fips >= v0.13.0, < v0.13.12
    PKCS7_verify Signature Validation bypass in AWS-LC >= v1.41.0, < v1.69.0
    PKCS7_verify Signature Validation bypass in aws-lc-sys >= v0.24.0, < v0.38.0


Resolution:

PKCS7_verify Certificate Chain Validation Bypass and
PKCS7_verify Signature Validation Bypass has been addressed
in AWS-LC v1.69.0 and aws-lc-sys v0.38.0. Timing Side-Channel
in AES-CCM Tag Verification has been addressed in AWS-LC
v1.69.0, AWS-LC-FIPS-3.2.0, aws-lc-sys v0.38.0, and
aws-lc-sys-fips v0.13.12. PKCS7_verify Signature Validation
bypass in AWS-LC has been addressed in AWS-LC v1.69.0 and
aws-lc-sys v0.38.0.


Workarounds:

There are no known workarounds for CVE-2026-3336 and CVE-2026-3338.

For CVE-2026-3337, customers using AES-CCM with (M=4, L=2),
(M=8, L=2), or (M=16, L=2) can workaround this issue by
using AES-CCM through the EVP AEAD API using
implementations EVP_aead_aes_128_ccm_bluetooth,
EVP_aead_aes_128_ccm_bluetooth_8, and,
EVP_aead_aes_128_ccm_matter respectively. Otherwise, there
is no known workaround. We recommended customers to
upgrade to the latest major versions of AWS-LC.


References:

    CVE-2026-3336
    CVE-2026-3337
    CVE-2026-3338
    GHSA-cfwj-9wp5-wqvp
    GHSA-frmv-5gcm-jwxh
    GHSA-jchq-39cv-q4wj
    GHSA-vw5v-4f2q-w9xf
    GHSA-65p9-r9h6-22vj
    GHSA-hfpc-8r3f-gw53


Acknowledgement:

We would like to thank the AISLE Research Team for collaborating
on issues CVE-2026-3336 and CVE-2026-3337 through the
coordinated vulnerability disclosure process.
 

Please email aws-security@amazon.com with any security
questions or concerns.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================