Update dependency software.amazon.encryption.s3:amazon-s3-encryption-client-java to v4 [SECURITY]#1
Open
jamietanna wants to merge 1 commit into
Conversation
jamietanna
force-pushed
the
renovate/maven-software.amazon.encryption.s3-amazon-s3-encryption-client-java-vulnerability
branch
2 times, most recently
from
0530592 to
8a46b45
Compare
jamietanna
changed the title
jamietanna
deleted the
renovate/maven-software.amazon.encryption.s3-amazon-s3-encryption-client-java-vulnerability
branch
jamietanna
changed the title
jamietanna
force-pushed
the
renovate/maven-software.amazon.encryption.s3-amazon-s3-encryption-client-java-vulnerability
branch
2 times, most recently
from
8a46b45 to
08f62f7
Compare
jamietanna
changed the title
jamietanna
changed the title
jamietanna
force-pushed
the
renovate/maven-software.amazon.encryption.s3-amazon-s3-encryption-client-java-vulnerability
branch
2 times, most recently
from
08f62f7 to
16d3b1e
Compare
jamietanna
changed the title
jamietanna
changed the title
jamietanna
force-pushed
the
renovate/maven-software.amazon.encryption.s3-amazon-s3-encryption-client-java-vulnerability
branch
3 times, most recently
from
339d7d4 to
8c0b1ff
Compare
jamietanna
force-pushed
the
renovate/maven-software.amazon.encryption.s3-amazon-s3-encryption-client-java-vulnerability
branch
from
8c0b1ff to
3db965c
Compare
…client-java to v4 [SECURITY]
jamietanna
force-pushed
the
renovate/maven-software.amazon.encryption.s3-amazon-s3-encryption-client-java-vulnerability
branch
from
3db965c to
25f9333
Compare
12 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.4.0→4.0.0Amazon S3 Encryption Client for Java has a Key Commitment Issue
CVE-2025-14763 / GHSA-x44p-gvrj-pj2r
More information
Details
Summary
S3 Encryption Client for Java is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
Impact
Background - Key Commitment
There is a cryptographic property whereby under certain conditions, a single ciphertext could be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an encrypted message can only be decrypted by one key; the key used to originally encrypt the message.
In older versions of S3EC, when customers are also using a feature called "Instruction File" to store EDKs, key commitment is not implemented because multiple EDKs could be associated to an underlying encrypted message object. For such customers an attack that leverages the lack of key commitment is possible. A bad actor would need two things to leverage this issue: (i) the ability to create a separate, rogue, EDK that will also decrypt the underlying object to produce desired plaintext, and (ii) permission to upload a new instruction file to the S3 bucket to replace the existing instruction file placed there by the user using the S3C. Any future attempt to decrypt the underlying encrypted message with the S3EC will unwittingly use the rogue EDK to produce a valid plaintext message.
Impacted versions: <= v3.5
Patches
S3 Encryption Client is introducing the concept of "key commitment" to S3EC where the EDK is cryptographically bound to the ciphertext in order to address this issue. In order to maintain compatibility for in-flight messages we are releasing the fix in two versions. A code-compatible minor version that can read messages with key-commitment but not write them, and a new major version that can both read and write messages with key-commitment. For maximum safety customers are asked to upgrade to the latest major version: 4.0.0 or later
Workarounds
There are no workarounds, please upgrade to the suggested version of S3EC.
References
If users have any questions or comments about this advisory, S3 Encryption Client asks that they contact AWS Security via our issue reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
aws/amazon-s3-encryption-client-java (software.amazon.encryption.s3:amazon-s3-encryption-client-java)
v4.0.0Compare Source
⚠ BREAKING CHANGES
The S3 Encryption Client now requires key committing algorithm suites by default.
See migration guide from 3.x to 4.x: link
builder()method has been removed; usebuilderV4()insteadbuilderV4()now defaults tocommitmentPolicy(REQUIRE_ENCRYPT_REQUIRE_DECRYPT) andencryptionAlgorithm(ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY)Updated expectations for custom implementations of the
CryptographicMaterialsManagerinterface.getEncryptionMaterialsmethod MUST set theAlgorithmSuitefield on the returnedEncryptionMaterials.DefaultCryptoMaterialsManager'sgetEncryptionMaterialsmethod sets this field from theAlgorithmSuiteprovided in theEncryptionMaterialsRequest.DefaultCryptoMaterialsManager.getEncryptionMaterialsmethod, it's likely that no code updates are required. The provided logic has been updated with this change.decryptMaterialsmethod MUST set theKeyCommitmentfield on the returnedDecryptionMaterials.DefaultCryptoMaterialsManager'sdecryptMaterialsmethod sets this field from theKeyCommitmentprovided in theDecryptMaterialsRequest.DefaultCryptoMaterialsManager.decryptMaterialsmethod, it's likely that no code updates are required. The provided logic has been updated with this change.Updated expectations for custom implementations of the
Keyringinterface.onDecryptmethod MUST preserve theKeyCommitmentfield on the returnedDecryptionMaterials.S3Keyring'sonDecryptmethod (base class for all keyrings includingKmsKeyring) preserves this field through the builder pattern when returning updated materials.S3Keyring.onDecryptmethod or uses the builder pattern to return materials, it's likely that no code updates are required. The provided logic has been updated with this change.Features
Maintenance
v3.6.1: Amazon S3 Encryption Client 3.6.1 Release -- 2026-02-06Compare Source
Changelog
3.6.1 (2026-02-06)
Fixes
Maintenance
v3.6.0Compare Source
Features
Maintenance
v3.5.0Compare Source
Features
Maintenance
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.