GMS-2021-93: Import of incorrectly embargoed keys could cause early publication

May 21, 2021

Impact

If your installation is using the export-importer service, there is potential impact. If your installation is not importing keys via the export-importer services, your installation is not impacted.

In versions 0.19.1 and earlier, the export-importer service assumed that the server it was importing from had properly embargoed keys for at least 2 hours after their expiry time. There are now known instances of servers that did not properly embargo keys.

This could allow allow for imported keys to be re-published before they have expired, allowing for potential replay of RPIs.

Patches

This is patched in v0.18.3 and all versions 0.19.2 and later.

Workarounds

Ensure that the servers you are importing export zip files from are not publishing keys too early.

References

n/a

For more information

If you have any questions or comments about this advisory

Open an issue in exposure-notifications-server
Email us at exposure-notifications-feedback@google.com

References

Detect and mitigate GMS-2021-93 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →