AWS C Event Stream Buffer Overflow Vulnerability in Streaming Decoder Component

A stack buffer overflow vulnerability has been identified in the streaming decoder component of the AWS C Event Stream library, prior to version 0.6.0. This vulnerability could allow a third party operating a server to cause memory corruption, leading to arbitrary code execution on a client application that processes crafted event-stream messages. The issue arises when the client communicates with an untrusted server using the event-stream protocol, a scenario that can occur with certain AWS SDKs.

Impact

Exploitation of this vulnerability could result in memory corruption and arbitrary code execution on the client application.

Remediation

Users should upgrade to AWS C Event Stream version 0.6.0 or later. This vulnerability has also been addressed in the following AWS SDK libraries: AWS IoT Device SDK C++ V2 version 1.42.1, AWS IoT Device SDK Java V2 version 1.30.1, AWS IoT Device SDK Python V2 version 1.28.2, AWS IoT Device SDK JavaScript V2 version 1.25.1, AWS SDK for Swift version 1.6.70, and AWS SDK for C++ version 1.11.764.