Skip to content

MessageDigest hashing issue

Moderate
farleyb-amazon published GHSA-7jxm-4g9c-5vxj Apr 21, 2021

Package

maven amazon-corretto-crypto-provider (Maven)

Affected versions

1.6.0

Patched versions

1.6.1

Description

Impact

This advisory concerns customers that create, clone or re-use MessageDigest instances across many threads in their application, while they use ACCP as a JCE provider. A race condition can cause ACCP’s MessageDigest hashing algorithms to return the same value for different inputs.

Patches

Fixed in version 1.6.1. All users are advised to upgrade as soon as possible.

Workarounds

None

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs