High severityNVD Advisory· Published Jul 29, 2022· Updated Aug 3, 2024
CVE-2022-2576
CVE-2022-2576
Description
In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.californium:californium-coreMaven | >= 2.0.0, < 2.7.3 | 2.7.3 |
org.eclipse.californium:californium-coreMaven | >= 3.0.0, < 3.6.0 | 3.6.0 |
Affected products
2- Range: 2.0.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-qq3j-44gw-cf6rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2576ghsaADVISORY
- bugs.eclipse.org/580018ghsax_refsource_CONFIRMWEB
- github.com/eclipse-californium/californium/commit/0cc953a1dc071efc960130e229fcb4f8bda7f9dfghsaWEB
- github.com/eclipse-californium/californium/commit/8373db84b2d07f22c39ffc333ab881dba9401722ghsaWEB
- github.com/eclipse-californium/californium/pull/2039ghsaWEB
News mentions
0No linked articles in our index yet.