Volerion logoVolerion
Volerion logoVolerion

Amazon AWS CloudFront Weak Cipher Support Vulnerability

Vulnerability

A vulnerability exists in Amazon AWS CloudFront's TLSv1.2_2019 security policy, which allows the use of ciphers TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. These ciphers are considered weak by some security standards. While CloudFront offers a newer security policy, TLSv1.2_2020, that does not include these ciphers, it is not clear when or if this policy will be available to all users.

Impact

The vulnerability allows the use of ciphers that are considered weak, potentially exposing communications to cryptographic attacks.

Remediation

Users can update their CloudFront distributions to the TLSv1.2_2019 security policy, which is currently available. However, this policy includes the weak ciphers in question. Once AWS makes the TLSv1.2_2020 policy available to all users, it can be used to disable these ciphers.

Added: Mar 11, 2026, 7:21 PM
Updated: Mar 11, 2026, 7:21 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.6
exploitability
4.7
remediation
7.7
relevance
0.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.