Home > Vulnerability Database > CVE-2022-2576

Mend.io Vulnerability Database

CVE-2022-2576

Good to know:

Date: July 29, 2022

In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

Language: Java

Severity Score

7.5

Related Resources (7)

Url: https://github.com/eclipse/californium

Url: https://github.com/eclipse-californium/californium/pull/2039

Url: https://github.com/eclipse-californium/californium/commit/0cc953a1dc071efc960130e229fcb4f8bda7f9df

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-2576

Url: https://bugs.eclipse.org/580018

Url: https://github.com/eclipse-californium/californium/commit/8373db84b2d07f22c39ffc333ab881dba9401722

Url: https://www.mend.io/vulnerability-database/CVE-2022-2576

Severity Score

7.5

Weakness Type (CWE)

Insufficient Information

NVD-CWE-noinfo

Incorrect Behavior Order: Early Amplification

CWE-408

Top Fix

Upgrade Version

Upgrade to version org.eclipse.californium:californium-core:2.7.3;org.eclipse.californium:californium-core:3.6.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-2576

Good to know:

Date: July 29, 2022

Language: Java

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?