GHSA-qq3j-44gw-cf6r

Source

https://github.com/advisories/GHSA-qq3j-44gw-cf6r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-qq3j-44gw-cf6r/GHSA-qq3j-44gw-cf6r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qq3j-44gw-cf6r

Aliases

CVE-2022-2576

Published

2022-07-30T00:00:35Z

Modified

2023-11-08T04:08:47.900072Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Eclipse Californium denial of service (DoS) via Datagram Transport Layer Security (DTLS) handshake on parameter mismatch

Details

In Eclipse Californium versions 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLSVERIFYPEERSONRESUMPTION_THRESHOLD values larger than 0.

Database specific

{
    "nvd_published_at": "2022-07-29T14:15:00Z",
    "github_reviewed_at": "2022-08-10T15:41:24Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-408"
    ]
}

References

Affected packages

Maven / org.eclipse.californium:californium-core

Package

Name: org.eclipse.californium:californium-core; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.californium/californium-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.7.3

Affected versions

2.*

2.0.0

2.1.0-RC1

2.1.0-RC2

2.1.0

2.2.0-RC1

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0-RC1

2.3.0-RC2

2.3.0

2.3.1

2.4.0

2.4.1

2.5.0

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.7.0

2.7.1

2.7.2

Database specific

{
    "last_known_affected_version_range": "<= 2.7.2"
}

Maven / org.eclipse.californium:californium-core

Package

Name: org.eclipse.californium:californium-core; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.californium/californium-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.6.0

Affected versions

3.*

3.0.0

3.1.0

3.2.0

3.3.0

3.3.1

3.4.0

3.5.0

Database specific

{
    "last_known_affected_version_range": "<= 3.5.0"
}