Security release of Confidant 1.1.14 (in unreleased 1.1 branch)

[Ryan Lane]

While preparing for the 1.1 stable release Lyft found a KMS authentication vulnerability in the unreleased 1.1 branch while performing an audit of the code.

The vulnerability was introduced while adding the scoped auth key feature (for limiting authentication keys and services to specific AWS accounts), where the key was not properly checked after decryption. This check is an additional verification to add additional safety on-top of the IAM policy of your KMS keys. If IAM policy allows users to use KMS keys without limits on encryption context, a KMS key that wasn't intended to be used for auth, could be used for auth. This only affected service-to-service auth and not user-to-service auth.

The 1.1 branch was unreleased, but I know there's a few folks using this, so we felt a security release was in order. The change was introduced in 1f16e64285a4e06c63ffff39dbe7991216557032, and the following SHAs also have this vulnerability:

85715915c3d86016d417439c945d2ad92c9b649e

b50d3c4dd220ea0aebcb153ce250a9ef8d239854

c7492c0a476911a785f3dc49544a8714219d4ae6

c80ac03f0c62c3ff6faa64ea8a751498e13d2c41

b41c1cee9da501e449c47880d84b43943debf38e

If you are using any of these SHAs, you're encouraged to upgrade to c823135fe9c815de81d6785771bb318a46f9d81b. This vulnerability does not affect the 1.0 (current stable) release.

- Ryan Lane

Security Engineer

Lyft