CVE-2022-39368 Californium Failing DTLS handshakes causes Data Loss due to throttling blocking processing of records

Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the threshold to be reached...

CVE-2022-2576

In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification DDoS other peer...

CVE-2022-2576

In Eclipse Californium, CVE-2022-2576 affects versions 2.0.0–2.7.2 and 3.0.0–3.5.0. The DTLS resumption handshake can fall back to a full DTLS handshake on parameter mismatch without a HelloVerifyRequest, which, when used with certificate-based cipher suites, enables message amplification that ca...

CVE-2021-34433

The CVE concerns Eclipse Californium where certificate-based DTLS handshakes (X.509 and RPK) can accidentally succeed without verifying the client-side signature on the server, if the signature is not included in the server’s ServerKeyExchange. Affected versions are 2.0.0–2.6.4 and 3.0.0-M1–3.0.0...

CVE-2020-27222

A flaw was found in californium. The certificate based x509 and RPK DTLS handshakes fails due to the DTLS server side being set to a wrong internal state by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The highest threat from this vulnerability is to system...

CVE-2020-27222

In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based x509 and RPK DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch...

Code injection

In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based x509 and RPK DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch...

CVE-2020-27222

CVE-2020-27222 affects the Eclipse Californium DTLS implementation. Versions 2.3.0 through 2.6.0 experience a certificate-based DTLS handshake failure caused by the server persisting a wrong internal state after a prior handshake failure with TLS parameter mismatch. This state corruption allows a...