Security update to AWS SDK for .NET’s HAQM CloudFront Cookie Signer

The AWS SDK for .NET has a utility class, HAQM.CloudFront.HAQMCloudFrontCookieSigner, for creating signed cookies to access private content served using HAQM CloudFront. This blog contains details on usage of this utility class along with sample code.

Specifying HAQMCloudFrontCookieSigner.Protocols.Https as the protocol parameter creates a cookie with incorrect policy; the policy contains a resource restriction of “http*://” instead of “http://” .

Potential Impact

CloudFront distributions configured to serve HTTP and HTTPS requests are affected by this issue, unless “Viewer Protocol Policy” is configured as HTTPS. In this case, CloudFront will block attempts to access content over HTTP.

Impacted SDK versions

• Versions 2.3.36 to 2.3.55 for version 2 of the AWS SDK for .NET
• Versions 3.0.1-preview to 3.3.3.6 for package AWSSDK.CloudFront of the AWS SDK for .NET
• Versions 3.2.0-beta to 3.2.3.7-beta, and 3.2.8-rc for package AWSSDK.CloudFront in the preview version 3.2 of the AWS SDK for .NET, that targets .NET Core

Mitigation

Update your dependency to the latest version of the SDK. The fix contains a change to the HAQMCloudFrontCookieSigner.Protocols enum’s underlying values (a breaking change) and requires a recompilation of the consuming application. The assembly version of the SDK package has been updated for this fix. There are no other breaking API changes in this version.

• Version 2.3.55.2 and above for package AWSSDK in version 2 of the AWS SDK for .NET
• Version 3.3.4.0 and above for package AWSSDK.CloudFront in version 3 of the AWS SDK for .NET