AWS cloudhsm documentation change
Summary
Added a new known issue about cryptographic operations failing with 'Sequence number is outside of window' errors under high concurrency, including impact, workaround, and resolution details. Also updated resolution status for a previous issue.
Security assessment
The change documents a reliability issue under high concurrency that causes transient errors, not a security vulnerability. It mentions the issue occurs due to thread scheduling delays and increased parallel operations as part of improved security posture, but doesn't indicate an exploitable weakness. The resolution involves adding retry logic in the SDK, which is a robustness improvement rather than a security fix.
Diff
diff --git a/cloudhsm/latest/userguide/ki-all.md b/cloudhsm/latest/userguide/ki-all.md index 631fef287..b4d06ff0f 100644 --- a//cloudhsm/latest/userguide/ki-all.md +++ b//cloudhsm/latest/userguide/ki-all.md @@ -7 +7 @@ -Issue: AES key wrapping uses PKCS #5 padding instead of providing a standards-compliant implementation of key wrap with zero paddingIssue: The client daemon requires at least one valid IP address in its configuration file to successfully connect to the clusterIssue: There was an upper limit of 16 KB on data that can be hashed and signed by AWS CloudHSM using Client SDK 3Issue: Imported keys could not be specified as non-exportableIssue: The default mechanism for the wrapKey and unWrapKey commands in the key_mgmt_util has been removedIssue: If you have a single HSM in your cluster, HSM failover does not work correctlyIssue: If you exceed the key capacity of the HSMs in your cluster within a short period of time, the client enters an unhandled error stateIssue: Digest operations with HMAC keys of size greater than 800 bytes are not supportedIssue: The client_info tool, distributed with Client SDK 3, deletes the contents of the path specified by the optional output argumentIssue: You receive an error when running the SDK 5 configure tool using the --cluster-id argument in containerized environmentsIssue: You receive the error "Failed to create cert/key from provided pfx file. Error: NotPkcs8"Issue: ECDSA signing fails with "invalid mechanism" error starting with SDK 5.16Issue: Signing operations with prehashed data do not properly clear session tokens in interactive modeIssue: CloudHSM client library's default client certificate expires on Jan 31, 2026Issue: Client SDK 5 connection fails due to weak CA certificate key +Issue: AES key wrapping uses PKCS #5 padding instead of providing a standards-compliant implementation of key wrap with zero paddingIssue: The client daemon requires at least one valid IP address in its configuration file to successfully connect to the clusterIssue: There was an upper limit of 16 KB on data that can be hashed and signed by AWS CloudHSM using Client SDK 3Issue: Imported keys could not be specified as non-exportableIssue: The default mechanism for the wrapKey and unWrapKey commands in the key_mgmt_util has been removedIssue: If you have a single HSM in your cluster, HSM failover does not work correctlyIssue: If you exceed the key capacity of the HSMs in your cluster within a short period of time, the client enters an unhandled error stateIssue: Digest operations with HMAC keys of size greater than 800 bytes are not supportedIssue: The client_info tool, distributed with Client SDK 3, deletes the contents of the path specified by the optional output argumentIssue: You receive an error when running the SDK 5 configure tool using the --cluster-id argument in containerized environmentsIssue: You receive the error "Failed to create cert/key from provided pfx file. Error: NotPkcs8"Issue: ECDSA signing fails with "invalid mechanism" error starting with SDK 5.16Issue: Signing operations with prehashed data do not properly clear session tokens in interactive modeIssue: CloudHSM client library's default client certificate expires on Jan 31, 2026Issue: Client SDK 5 connection fails due to weak CA certificate keyIssue: Cryptographic operations fail with "Sequence number is outside of window" errors under high concurrency @@ -44,0 +45,2 @@ The following issues impact all AWS CloudHSM users regardless of whether they us + * Issue: Cryptographic operations fail with "Sequence number is outside of window" errors under high concurrency + @@ -209 +211,12 @@ After upgrading to Client SDK 5 version 5.17.0 or 5.17.1, your application fails - * **Resolution status:** We are currently working on a fix. + * **Resolution status:** This issue has been resolved in [Client SDK 5.17.2](./latest-releases.html#client-version-5-17-2). Upgrade to version 5.17.2 or later to benefit from the fix. + + + + +## Issue: Cryptographic operations fail with "Sequence number is outside of window" errors under high concurrency + + * **Impact:** Under high-concurrency workloads, Client SDK 5 can occasionally return transient operation failures. Client SDK 5 increases the volume of parallel operations to the HSM as part of its improved security posture. Under heavy load, thread scheduling delays can cause transient failures that are recoverable on retry. + + * **Workaround:** Implement application-level retry logic for transient errors. Refer to our [best practices guide](./bp-application-integration.html). You may also reduce load on the client by limiting the number of parallel cryptographic operations or upgrading to an instance type with more CPU cores. + + * **Resolution status:** We have added retries in [Client SDK 5.17.2](./latest-releases.html#client-version-5-17-2). You must upgrade to this client version or later to benefit from the updates.