CVE-2022-2576

Published: Jul 29, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

Vendor	Product	Versions
The Eclipse Foundation	Eclipse Californium	affected `2.0.0 - < unspecified` affected `unspecified - <= 2.7.2` affected `3.0.0 - < unspecified` affected `unspecified - <= 3.5.0`

Weaknesses (CWE)

CWE-408

References

https://bugs.eclipse.org/580018

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-2576

Description

Affected Products

Weaknesses (CWE)

References