Initial Publication Date: 2021/04/26 10:20 AM PDT
On April 13th, 2021, AWS became aware of an edge case that affected how some Application Load Balancers (ALB) handled key rotation for TLS/SSL session ticket encryption. This edge case was introduced in September, 2020 and resulted in a small percentage of ALB traffic intermittently using an uninitialized session ticket encryption key. The edge case was triggered primarily during quiet periods of activity. ALBs with a high variation of traffic, such as daily peaks and troughs, rarely triggered the edge case. Mitigation for the edge case began within 8 hours of discovery and was complete by April 16th, 2021. This issue has been completely resolved.
TLS/SSL is the protocol that provides encryption in transit for HTTPS connections to ALBs. Session tickets are used to resume TLS/SSL sessions and contain an encrypted copy of the parameters used to encrypt the connection. Session tickets are primarily used when the client is a web browser. Connections that were affected by the edge case issue were encrypted and there were no outward signs of any issue. However, knowledge of the edge-case issue could theoretically be used to decrypt affected session tickets. In the very unlikely case that an affected connection was being observed, the parameters contained in an affected session ticket could be used to decrypt the connection.
The AWS network includes existing defenses in depth against this kind of issue. As a result, ALB traffic between AWS data-centers, Availability Zones, Regions, Local Zones, and Outposts was fully protected by AWS Network encryption. ALB traffic between AWS networks and customer premises using the Amazon VPN or Amazon Direct Connect MACSEC services was also fully protected. AWS Network Load Balancers (NLBs), Classic Load Balancers (CLBs), and other Amazon Web Services were not affected by this issue.
AWS would like to thank Simon Nachtigall, Sven Hebrok, Marcel Maehren, Robert Merget, and Juraj Somorovsky of Paderborn University and Ruhr University Bochum, Germany, for reporting this issue.