CVE Vulnerabilities

CVE-2022-2576

Incorrect Behavior Order: Early Amplification

Published: Jul 29, 2022 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

Weakness

The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.

Affected Software

Name Vendor Start Version End Version
Californium Eclipse 2.0.0 (including) 2.7.2 (including)
Californium Eclipse 3.0.0 (including) 3.5.0 (including)

References