CVE-2022-2576 – org.eclipse.californium:californium-core

Package

Manager: maven
Name: org.eclipse.californium:californium-core
Vulnerable Version: >=2.0.0 <2.7.3 || >=3.0.0 <3.6.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00204 pctl0.42656

Details

Eclipse Californium denial of service (DoS) via Datagram Transport Layer Security (DTLS) handshake on parameter mismatch In Eclipse Californium versions 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

Metadata

Created: 2022-07-30T00:00:35Z
Modified: 2022-08-10T15:41:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-qq3j-44gw-cf6r/GHSA-qq3j-44gw-cf6r.json
CWE IDs: ["CWE-408"]
Alternative ID: GHSA-qq3j-44gw-cf6r
Finding: F115
Auto approve: 1