All the vulnerabilites related to The Eclipse Foundation - Eclipse Californium
cve-2021-34433
Vulnerability from cvelistv5
Published
2021-08-20 17:10
Modified
2024-08-04 00:12
Severity ?
EPSS score ?
Summary
In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange.
References
▼ | URL | Tags |
---|---|---|
https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281 | x_refsource_CONFIRM |
Impacted products
▼ | Vendor | Product |
---|---|---|
The Eclipse Foundation | Eclipse Californium |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T00:12:50.235Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Californium", "vendor": "The Eclipse Foundation", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "2.0.0", "versionType": "custom" }, { "lessThanOrEqual": "2.6.4", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "3.0.0-M1", "versionType": "custom" }, { "lessThanOrEqual": "3.0.0-M3", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side\u0027s signature on the client side, if that signature is not included in the server\u0027s ServerKeyExchange." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-322", "description": "CWE-322: Key Exchange without Entity Authentication", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-08-20T17:10:10", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-34433", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Californium", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "2.0.0" }, { "version_affected": "\u003c=", "version_value": "2.6.4" }, { "version_affected": "\u003e=", "version_value": "3.0.0-M1" }, { "version_affected": "\u003c=", "version_value": "3.0.0-M3" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side\u0027s signature on the client side, if that signature is not included in the server\u0027s ServerKeyExchange." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-322: Key Exchange without Entity Authentication" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281", "refsource": "CONFIRM", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-34433", "datePublished": "2021-08-20T17:10:10", "dateReserved": "2021-06-09T00:00:00", "dateUpdated": "2024-08-04T00:12:50.235Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-27222
Vulnerability from cvelistv5
Published
2021-02-03 15:45
Modified
2024-08-04 16:11
Severity ?
EPSS score ?
Summary
In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS.
References
▼ | URL | Tags |
---|---|---|
https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844 | x_refsource_CONFIRM |
Impacted products
▼ | Vendor | Product |
---|---|---|
The Eclipse Foundation | Eclipse Californium |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T16:11:36.000Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Californium", "vendor": "The Eclipse Foundation", "versions": [ { "status": "affected", "version": "[2.3.0, 2.6.0]" } ] } ], "descriptions": [ { "lang": "en", "value": "In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-372", "description": "CWE-372: Incomplete Internal State Distinction", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-03T16:36:38", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2020-27222", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Californium", "version": { "version_data": [ { "version_value": "[2.3.0, 2.6.0]" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-372: Incomplete Internal State Distinction" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844", "refsource": "CONFIRM", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2020-27222", "datePublished": "2021-02-03T15:45:13", "dateReserved": "2020-10-19T00:00:00", "dateUpdated": "2024-08-04T16:11:36.000Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-2576
Vulnerability from cvelistv5
Published
2022-07-29 13:20
Modified
2024-08-03 00:39
Severity ?
EPSS score ?
Summary
In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.
References
▼ | URL | Tags |
---|---|---|
https://bugs.eclipse.org/580018 | x_refsource_CONFIRM |
Impacted products
▼ | Vendor | Product |
---|---|---|
The Eclipse Foundation | Eclipse Californium |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:39:08.153Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugs.eclipse.org/580018" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Californium", "vendor": "The Eclipse Foundation", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "2.0.0", "versionType": "custom" }, { "lessThanOrEqual": "2.7.2", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "3.0.0", "versionType": "custom" }, { "lessThanOrEqual": "3.5.0", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-408", "description": "CWE-408: Incorrect Behavior Order: Early Amplification", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-29T13:20:10", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugs.eclipse.org/580018" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2022-2576", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Californium", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "2.0.0" }, { "version_affected": "\u003c=", "version_value": "2.7.2" }, { "version_affected": "\u003e=", "version_value": "3.0.0" }, { "version_affected": "\u003c=", "version_value": "3.5.0" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-408: Incorrect Behavior Order: Early Amplification" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugs.eclipse.org/580018", "refsource": "CONFIRM", "url": "https://bugs.eclipse.org/580018" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2022-2576", "datePublished": "2022-07-29T13:20:10", "dateReserved": "2022-07-29T00:00:00", "dateUpdated": "2024-08-03T00:39:08.153Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }