Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc1dmYtdjZ3Zi03dzJy
Ciphertext Malleability Issue in Tink Java
Impact
Tink's Java version before 1.5 under some circumstances allowed attackers to change the key ID part of the ciphertext, resulting in the attacker creating a second ciphertext that will decrypt to the same plaintext. This can be a problem in particular in the case of encrypting with a deterministic AEAD with a single key, and relying on the fact that there is only a single valid ciphertext per plaintext.
No loss of confidentiality or loss of plaintext integrity occurs due to this problem, only ciphertext integrity is compromised.
Patches
The issue was fixed in this pull request.
Workarounds
The only workaround is to backport the fixing pull request.
Details
Tink uses the first five bytes of a ciphertext for a version byte and a four byte key ID. Since each key has a well defined prefix, this extends non-malleability properties (but technically not indistinguishability). However, in the Java version this prefix lookup used a hash map indexed by unicode strings instead of the byte array, which means that invalid Unicode characters would be replaced by U+FFFD by the Java API's default behavior. This means several different values for the five bytes would result in the same hash table key, which allows an attacker to exchange one invalid byte sequence for another, creating a mutated ciphertext that still decrypts (to the same plaintext).
Acknowledgements
We'd like to thank Peter Esbensen for finding this issue and raising it internally.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Tink
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc1dmYtdjZ3Zi03dzJy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-g5vf-v6wf-7w2r, CVE-2020-8929
References:
- https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r
- https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899
- https://nvd.nist.gov/vuln/detail/CVE-2020-8929
- https://github.com/advisories/GHSA-g5vf-v6wf-7w2r
Blast Radius: 14.3
Affected Packages
maven:com.google.crypto.tink:tink
Dependent packages: 70Dependent repositories: 489
Downloads:
Affected Version Ranges: < 1.5.0
Fixed in: 1.5.0
All affected versions: 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0
All unaffected versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0